Hello,
I have a Debian machine at my home network performing several functions. Two of
those are dns server for my network at home and a VPN server to the company
network.
To facilitate my use of the VPN to the company network I am also forwarding all
dns requests tot the company domain to the internal dns servers.
A few months ago we had a change in our external dns provider and they enabled
secure dns.
After that I had some (security?) problems getting bind to forward my internal
dns servers. My guess was that somehow it would see the security for the domain
at the .nl level and it would be different from the internal response at the
tio.nl domain. My resolution at that time was simply to rely exclusively on the
company dns servers and just use the internal ip number for the few devices I
needed to access at home.
However, strangely enough when I went back a while later to test what was the
real problem I could not reproduce it and I could once again resolve the normal
dns requests against the internet dns servers and also forward the requests for
the company servers to the company dns servers.
Today I did an upgrade from Buster to Bullseye and the problem is back. :-( Can
someone help me analyze the errors and point to a way to find out what is
really wrong?
We use a different dns server(s) and zonefile for the external dns environment
from what we use internally. Company dns is Windows server 2016 incase that is
relevant.
Earlier in the day I had syslog lines like:
-----<Quote>----------------------
Apr 28 03:18:14 linbobo named[546]: DNS format error from 13.107.206.240#53
resolving outlook.ha.office365.com/TYPE65 for client 172.16.17.83#61019: Name
trafficmanager.net (SOA) not subdomain of zone ha.office365.com -- invalid
response
Apr 28 03:18:15 linbobo named[546]: FORMERR resolving
'outlook.ha.office365.com/TYPE65/IN': 13.107.206.240#53
-----<End Quote>----------------------
Which seems to be an error at Microsoft.
And regarding my connection to the company dns:
-----<Quote>----------------------
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.128.40#53
resolving staf.tio.nl/AAAA for client 172.16.17.11#65033: Name tio.nl (SOA) not
subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving 'staf.tio.nl/AAAA/IN':
172.16.128.40#53
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.208.10#53
resolving staf.tio.nl/AAAA for client 172.16.17.11#65033: Name tio.nl (SOA) not
subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving 'staf.tio.nl/AAAA/IN':
172.16.208.10#53
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.128.40#53
resolving om1stafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53605: Name
tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving
'om1stafdc-04.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.208.10#53
resolving om1stafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53605: Name
tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving
'om1stafdc-04.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 12:07:54 linbobo named[546]: DNS format error from 172.16.128.40#53
resolving hglstafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53673: Name
tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:54 linbobo named[546]: FORMERR resolving
'hglstafdc-04.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:07:54 linbobo named[546]: DNS format error from 172.16.208.10#53
resolving hglstafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53673: Name
tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:54 linbobo named[546]: FORMERR resolving
'hglstafdc-04.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 12:08:06 linbobo named[546]: DNS format error from 172.16.128.40#53
resolving vijl.staf.tio.nl/AAAA for client 172.16.17.11#52409: Name tio.nl
(SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:08:06 linbobo named[546]: FORMERR resolving
'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:08:06 linbobo named[546]: DNS format error from 172.16.208.10#53
resolving vijl.staf.tio.nl/AAAA for client 172.16.17.11#52409: Name tio.nl
(SOA) not subdomain of zone staf.tio.nl -- invalid response
-----<End Quote>----------------------
I would like to know which error the Windows dns servers provides and what I
need to do to get rid of these errors. However, in the end I DID get my
response it seems as my PC was able to connect to the servers via the dns name.
After the upgrade I have syslog lines like:
-----<Quote>----------------------
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving
'AMSSTAFDC-05.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:25:09 linbobo named[574]: DNS format error from 172.16.208.10#53
resolving EINSTAFDC-04.staf.tio.nl/AAAA for 172.16.17.11#50761: Name tio.nl
(SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving
'EINSTAFDC-04.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:25:09 linbobo named[574]: DNS format error from 172.16.128.40#53
resolving vijl.staf.tio.nl/AAAA for 172.16.17.11#58764: Name tio.nl (SOA) not
subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving
'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 16:25:09 linbobo named[574]: validating vijl.staf.tio.nl/A: bad cache
hit (staf.tio.nl/DS)
Apr 28 16:25:09 linbobo named[574]: broken trust chain resolving
'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
Apr 28 16:25:09 linbobo named[574]: DNS format error from 172.16.208.10#53
resolving vijl.staf.tio.nl/AAAA for 172.16.17.11#58764: Name tio.nl (SOA) not
subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving
'vijl.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving
'staf.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving
'student.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving
'_udp.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving
'staf.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving
'student.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: broken trust chain resolving
'lb._dns-sd._udp.student.tio.nl/PTR/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: broken trust chain resolving
'lb._dns-sd._udp.staf.tio.nl/PTR/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving
'_udp.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: broken trust chain resolving
'lb._dns-sd._udp.tio.nl/PTR/IN': 172.16.128.40#53
Apr 28 16:27:14 linbobo named[574]: DNS format error from 172.16.128.40#53
resolving staf.tio.nl/AAAA for 172.16.17.11#56314: Name tio.nl (SOA) not
subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:27:14 linbobo named[574]: FORMERR resolving 'staf.tio.nl/AAAA/IN':
172.16.128.40#53
Apr 28 16:27:14 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:27:14 linbobo named[574]: no valid RRSIG resolving
'staf.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:27:14 linbobo named[574]: DNS format error from 172.16.208.10#53
resolving staf.tio.nl/AAAA for 172.16.17.11#56314: Name tio.nl (SOA) not
subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:27:14 linbobo named[574]: FORMERR resolving 'staf.tio.nl/AAAA/IN':
172.16.208.10#53
Apr 28 16:27:14 linbobo named[574]: validating tio.nl/SOA: got insecure
response; parent indicates it should be secure
Apr 28 16:27:14 linbobo named[574]: no valid RRSIG resolving
'staf.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:27:14 linbobo named[574]: broken trust chain resolving
'staf.tio.nl/A/IN': 172.16.128.40#53
-----<End Quote>----------------------
For everything regarding *.tio.nl I use a forward in named.conf.local like:
-----<Quote>----------------------
zone "tio.nl" IN {
type forward;
forward only;
forwarders {172.16.128.40; 172.16.208.10;};
};
-----<End Quote>----------------------
And similar lines for each possible subdomain like staf.tio.nl
Can anyone tell me what I need to fix in order for this split dns to work
correctly for me at home?
I may be totally wrong but, as the first problems started when we switched to
dnssec on the external dns environment, it feels like that is related to the
validation lines I see.
Is there a solution?
Bonno Bloksma
