RE: bind9 and dns forward

Bonno Bloksma Tue, 02 May 2023 02:49:40 -0700

Hi,

Lots of info and log quotes. I hope you can find the "normal" text.


>> We use a different dns server(s) and zonefile for the external dns 
>> environment from what we use internally. Company dns is Windows server 2016 
>> incase that is relevant.
> 
> It's better to use dig (package bind9-dnsutils) to first eliminate problems 
> on other DNS. Give us:
> 
> dig @13.107.206.240 trafficmanager.net SOA dig @13.107.206.240 
> outlook.ha.office365.com IN dig @172.16.128.40 vijl.staf.tio.nl AAAA dig 
> @172.16.128.10 vijl.staf.tio.nl AAAA

Yes I also have dig.
About your 4 dig statements. Like I wrote the problem with office365 is not MY 
problem, that is a Microsoft problem.
And even though I have a working ipv6 environment at home I do not have a 
working ipv6 VPN tunnel to work, nor do we use ipv6 there internally. So here 
are the ipv4 results. As you can see there is a working dns server at those 2 
ip numbers.

------<Quote>------------------------
linbobo:/etc/bind# dig @172.16.128.40 vijl.staf.tio.nl A

; <<>> DiG 9.16.37-Debian <<>> @172.16.128.40 vijl.staf.tio.nl A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61639
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;vijl.staf.tio.nl.              IN      A

;; ANSWER SECTION:
vijl.staf.tio.nl.       1200    IN      A       172.16.72.97

;; Query time: 8 msec
;; SERVER: 172.16.128.40#53(172.16.128.40)
;; WHEN: Tue May 02 11:20:52 CEST 2023
;; MSG SIZE  rcvd: 61

linbobo:/etc/bind# dig @172.16.208.10 vijl.staf.tio.nl A

; <<>> DiG 9.16.37-Debian <<>> @172.16.208.10 vijl.staf.tio.nl A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12968
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;vijl.staf.tio.nl.              IN      A

;; ANSWER SECTION:
vijl.staf.tio.nl.       1200    IN      A       172.16.72.97

;; Query time: 16 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:21:04 CEST 2023
;; MSG SIZE  rcvd: 61
------<Quote>------------------------

But if I query my own bind server...

------<Quote>------------------------
linbobo:~# dig vijl.staf.tio.nl

; <<>> DiG 9.16.37-Debian <<>> vijl.staf.tio.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 63ecb9edc2f5036e010000006450d2a73c1c133db0bfc629 (good)
;; QUESTION SECTION:
;vijl.staf.tio.nl.              IN      A

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 02 11:06:47 CEST 2023
;; MSG SIZE  rcvd: 73

And from /var/log/syslog
May  2 11:06:32 linbobo named[574]: DNS format error from 172.16.128.40#53 
resolving vijl.staf.tio.nl/AAAA for 127.0.0.1#56241: Name tio.nl (SOA) not 
subdomain of zone staf.tio.nl -- invalid response
May  2 11:06:32 linbobo named[574]: FORMERR resolving 
'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
May  2 11:06:32 linbobo named[574]:   validating tio.nl/SOA: got insecure 
response; parent indicates it should be secure
May  2 11:06:32 linbobo named[574]: no valid RRSIG resolving 
'staf.tio.nl/DS/IN': 172.16.128.40#53
May  2 11:06:32 linbobo named[574]: DNS format error from 172.16.208.10#53 
resolving vijl.staf.tio.nl/AAAA for 127.0.0.1#56241: Name tio.nl (SOA) not 
subdomain of zone staf.tio.nl -- invalid response
May  2 11:06:32 linbobo named[574]: FORMERR resolving 
'vijl.staf.tio.nl/AAAA/IN': 172.16.208.10#53
May  2 11:06:32 linbobo named[574]:   validating tio.nl/SOA: got insecure 
response; parent indicates it should be secure
May  2 11:06:32 linbobo named[574]: no valid RRSIG resolving 
'staf.tio.nl/DS/IN': 172.16.208.10#53
May  2 11:06:32 linbobo named[574]: broken trust chain resolving 
'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
May  2 11:06:35 linbobo named[574]:   validating tio.nl/SOA: got insecure 
response; parent indicates it should be secure
May  2 11:06:35 linbobo named[574]: no valid RRSIG resolving 
'student.tio.nl/DS/IN': 172.16.128.40#53
May  2 11:06:35 linbobo named[574]:   validating tio.nl/SOA: got insecure 
response; parent indicates it should be secure
May  2 11:06:35 linbobo named[574]: no valid RRSIG resolving 
'student.tio.nl/DS/IN': 172.16.208.10#53
May  2 11:06:35 linbobo named[574]: broken trust chain resolving 
'vijl.staf.tio.nl.student.tio.nl/A/IN': 172.16.128.40#53
May  2 11:06:35 linbobo named[574]: broken trust chain resolving 
'vijl.staf.tio.nl.student.tio.nl/AAAA/IN': 172.16.128.40#53
May  2 11:06:47 linbobo named[574]: validating vijl.staf.tio.nl/A: bad cache 
hit (staf.tio.nl/DS)
May  2 11:06:47 linbobo named[574]: broken trust chain resolving 
'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
------<Quote>------------------------

Bind does not give me more info. 
I query my own dns server/resolver. It forwards any request for a host in 
staf.tio.nl to one of two servers of which 172.16.208.10 is one and 
172.16.128.40 is the other.



>> Apr 28 12:07:53 linbobo named[546]: DNS format error from 
>> 172.16.128.40#53 resolving staf.tio.nl/AAAA for client 
>> 172.16.17.11#65033: Name tio.nl (SOA) not subdomain of zone 
>> staf.tio.nl -- invalid response
>
> I suppose you reboot after your upgrade ?
Yes I do, however by now the machine has been up and running for over 3 days.


> Do you have defined somewhere on linbobo a zone staf.tio.nl ?
> I guess not but do a grep just to be sure.

Yes, like I wrote in my original mail.  
> And similar lines for each possible subdomain like staf.tio.nl

linbobo:/etc/bind# cat named.conf.local
-----<Quote>----------------------
[....]
zone "tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
};

zone "staf.tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
};

zone "student.tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
}; 
[....]
-----<End Quote>----------------------

The problem is not that the company dns servers are not working, it is that it 
somehow thinks the answers are not valid, not even for the top level domain.

-----<Quote>----------------------
linbobo:/etc/bind# dig @172.16.208.10 tio.nl SOA

; <<>> DiG 9.16.37-Debian <<>> @172.16.208.10 tio.nl SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;tio.nl.                                IN      SOA

;; ANSWER SECTION:
tio.nl.                 3600    IN      SOA     eintiodc-04.tio.nl. hostmaster. 
700724 900 600 86400 3600

;; ADDITIONAL SECTION:
eintiodc-04.tio.nl.     3600    IN      A       172.16.208.10

;; Query time: 16 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:28:55 CEST 2023
;; MSG SIZE  rcvd: 109


linbobo:/etc/bind# dig einsccmdp-01.tio.nl

; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9441
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7987510150822e69010000006450d6cb9b864512d5302462 (good)
;; QUESTION SECTION:
;einsccmdp-01.tio.nl.           IN      A

;; Query time: 32 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 02 11:24:27 CEST 2023
;; MSG SIZE  rcvd: 76

linbobo:/etc/bind# dig einsccmdp-01.tio.nl @172.16.208.10

; <<>> DiG 9.16.37-Debian <<>> einsccmdp-01.tio.nl @172.16.208.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4796
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;einsccmdp-01.tio.nl.           IN      A

;; ANSWER SECTION:
einsccmdp-01.tio.nl.    1200    IN      A       172.16.212.18

;; Query time: 20 msec
;; SERVER: 172.16.208.10#53(172.16.208.10)
;; WHEN: Tue May 02 11:24:46 CEST 2023
;; MSG SIZE  rcvd: 64

-----<Quote>----------------------

May  2 11:24:27 linbobo named[574]:   validating tio.nl/SOA: got insecure 
response; parent indicates it should be secure
May  2 11:24:27 linbobo named[574]: no valid RRSIG resolving 
'einsccmdp-01.tio.nl/DS/IN': 172.16.128.40#53
May  2 11:24:27 linbobo named[574]:   validating tio.nl/SOA: got insecure 
response; parent indicates it should be secure
May  2 11:24:27 linbobo named[574]: no valid RRSIG resolving 
'einsccmdp-01.tio.nl/DS/IN': 172.16.208.10#53
May  2 11:24:27 linbobo named[574]: broken trust chain resolving 
'einsccmdp-01.tio.nl/A/IN': 172.16.128.40#53
-----<Quote>----------------------

Bonno Bloksma

RE: bind9 and dns forward

Reply via email to