So this is the moment where this becomes SA OT and your ISP or
networking guys/support & Wireshark / hping, etc should help you out.
On 9/15/18 6:28 PM, Alex wrote:
Hi,
On Sat, Sep 15, 2018 at 5:31 AM Benny Pedersen <m...@junc.eu> wrote:
Pedro David Marco skrev den 2018-09-15 09:46:
Sorry, typo issue.. i meant 512 bytes
and with EDNS0 its upto 4096
but not all dns servers support it
one could force tcp if wanted
or drop buggy rbl zones
Thank you all so much for your help. The only thing between this
system and the Internet is the Optonline modem/router. I've even gone
without any local firewall rules to eliminate that possibility.
Just last night I implemented htb shaping to limit the outgoing SMTP
traffic rate to be sure it's not consuming the entire pipe, preventing
UDP traffic from being received. I don't think that's the problem,
though, as it happens during all times of the day.
zone "hostkarma.junkemailfilter.com" { type forward; forward first;
forwarders {}; };
I'm not sure this would help, as our nameservers aren't set up for
forwarding at all.
Can you place a sniffer on LAN and WAN interfaces of your Firewall?
I've done this, and even posted packets for people to look at on the
bind-users list, and it was inconclusive. The packet involving the
"SERVFAIL" error doesn't provide any info as to why it failed. It
appears there was just never a response to the packet and the query
timed out.
Just in case of unexpected throttling by someone/something in the middle...
have you tried with a VPN (only for DNS traffic)?
I'll try that to see if somehow Optonline/Cablevision/Altice is
dropping my packets. However, it does also happen to our DIA ethernet
circuit, so I'm not hopeful.
Here's the packet trace of one of the failed packets, in case someone
has some ideas or was curious.
No. Time Source Destination
Protocol Length Info
9083 11.730327 127.0.0.1 127.0.0.1 DNS
104 Standard query response 0xded6 Server failure A
25.188.223.216.wl.mailspike.net OPT
Frame 9083: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
Encapsulation type: Linux cooked-mode capture (25)
Arrival Time: Sep 13, 2018 15:46:36.633305000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1536867996.633305000 seconds
[Time delta from previous captured frame: 0.000969000 seconds]
[Time delta from previous displayed frame: 0.006367000 seconds]
[Time since reference or first frame: 11.730327000 seconds]
Frame Number: 9083
Frame Length: 104 bytes (832 bits)
Capture Length: 104 bytes (832 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: sll:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 6
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
Unused: 6fc0
Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)
Total Length: 88
Identification: 0x2dff (11775)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4e94 [validation disabled]
[Header checksum status: Unverified]
Source: 127.0.0.1
Destination: 127.0.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 12304
Source Port: 53
Destination Port: 12304
Length: 68
Checksum: 0xfe57 [unverified]
[Checksum Status: Unverified]
[Stream index: 320]
Domain Name System (response)
Transaction ID: 0xded6
Flags: 0x8182 Standard query response, Server failure
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an
authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0010 = Reply code: Server failure (2)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
25.188.223.216.wl.mailspike.net: type A, class IN
Name: 25.188.223.216.wl.mailspike.net
[Name Length: 31]
[Label Count: 7]
Type: A (Host Address) (1)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 4096
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x0000
0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 0
[Unsolicited: True]
