Hi Michael,
Thank you so much for chiming in!
My guess is that something is in the way, and it's probably trying to
attack you (or your ISP) with fake replies, but it's doing a bad job.
When I do:
dig +short +nsid version.bind. txt ch dns4.p08.nsone.net
I get:
"9.21.2-1+0~20241120.131+debian12~1.gbpa6576d-Debian"
Spot on! Here's what I get:
# dig +short +nsid version.bind. txt ch dns4.p08.nsone.net
"9.16.23-RH"
198.51.45.72
Free.fr is my ISP but "9.16.23-RH" suspiciously looks like the bind
version I'm running on RHEL9:
# rndc status|grep version
version: BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
If you get something different, then that would be consistent with something
else intercepting your traffic.
Could my DNS servers be doing this to themselves?
:-(
But that does suggest that something else is in the way.
Did you forward with Do53, or did you use DoT/DoH?
{No idea if bind can forward over DoH, I never tried}
> - I tried to turn off dnssec completely but that barely made a difference:
> dnssec-enable no;
> dnssec-validation no;
Won't matter, since github doesn't do DNSSEC, so the NXDOMAINs can't be
validated (or rejected as invalid)
> The only way to get back to a working state is to add back some forwarders.
> Any ideas? Am I doing anything wrong? I'm attaching a sanitized copy of my
> named.conf in case someone could spot something:
I think you did everything right.
I think talking to your upstream ISP is in order.
Thank you!
Vincent
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
