Unable to parse mx record for epd.gov.hk

114 views
Skip to first unread message

ming lei

unread,
Nov 15, 2019, 1:42:53 AM11/15/19
to public-dns-discuss


Unable use 8.8.8.8  to parse mx record for epd.gov.hk  


The test results are as follows:

$ dig mx epd.gov.hk @8.8.8.8 +cd

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> mx epd.gov.hk @8.8.8.8 +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26719
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;epd.gov.hk. IN MX

;; Query time: 2188 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 15 11:29:46 HKT 2019
;; MSG SIZE  rcvd: 39




; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> mx epd.gov.hk @4.2.2.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63117
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;epd.gov.hk. IN MX

;; ANSWER SECTION:

;; Query time: 140 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Fri Nov 15 11:31:41 HKT 2019
;; MSG SIZE  rcvd: 210

Wesley Peng

unread,
Nov 15, 2019, 9:56:06 AM11/15/19
to public-dn...@googlegroups.com


ming lei wrote:
> Unable use 8.8.8.8  to parse mx record for epd.gov.hk
>
>
> The test results are as follows:
>
> $ dig mx epd.gov.hk @8.8.8.8 +cd


Both ns1.hk.net and ns2.hk.net are in the same subnet, that's not good.
Maybe google's public NS has network connection issues to your auth-DNS
servers.

Regards.

Alex Dupuy

unread,
Nov 15, 2019, 6:10:35 PM11/15/19
to public-dns-discuss
The issue with the MX queries for epd.gov.hk. is that the responses with DNSSEC enabled are quite large, and with the default EDNS0 4096 buffer size that Google Public DNS is currently using, the responses from ns1.hk.net and ns2.hk.net are fragmented and the Google Public DNS resolvers never receive them.

$ dig +tcp +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns1.hk.net
;; Query time: 191 msec
;; SERVER: 152.101.179.98#53(152.101.179.98)
;; WHEN: Fri Nov 15 17:21:43 EST 2019
;; MSG SIZE  rcvd: 2418
$ dig +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns1.hk.net
;; connection timed out; no servers could be reached

As part of DNS Flag Day 2020, recursive resolvers can reduce problems due to blocked UDP DNS fragments by restricting the EDNS0 buffer size to 1232, and authoritative servers can help too, by limiting their response sizes to 1232 even if the client has asked for a larger response.

$ dig +bufsize=1232 +dnssec +nocrypto +noall +stats mx epd.gov.hk @ns2.hk.net
;; Query time: 202 msec
;; SERVER: 152.101.179.98#53(152.101.179.98)
;; WHEN: Fri Nov 15 17:24:19 EST 2019
;; MSG SIZE  rcvd: 1076

While there is currently no configuration for Google Public DNS that would allow us to force all queries to these two name servers to use smaller EDNS0 buffer size, we could mitigate the problem by switching to using TCP for all queries.

Alternately, and more efficiently, it may be possible to configure these two name servers to limit their responses to 1232 bytes (this can usually be done by just omitting optional records from the Additional section).

https://dnsflagday.net/2020/#how-to-test has instructions for some popular open source DNS authoritative name servers (listed below), and if the operators of the ns[12].hk.net name servers can apply one of these, it would solve the problem.

BIND
options {
  max-udp-size 1232;
};

Knot DNS
server:
  max-udp-payload: 1232

PowerDNS Authoritative
udp-truncation-threshold=1232

NSD
server:
  ipv4-edns-size: 1232
  ipv6-edns-size: 1232


jun li

unread,
Nov 18, 2019, 9:04:03 AM11/18/19
to public-dns-discuss
After I modified it to 1232 bytes , the MX record  result can be resolved normally, but other records(A CNAMED...) have problems in parsing, and sometimes A records will be returned soa  records .


; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> mail2.epd.gov.hk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43528
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:

;; AUTHORITY SECTION:
epd.gov.hk. 91 IN SOA ns1.hk.net. hostmaster.citictel-cpc.com. 2019111802 10800 3600 604800 600

;; Query time: 98 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 18 15:03:16 CST 2019
;; MSG SIZE  rcvd: 118


; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> mail2.epd.gov.hk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 654
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:

;; ANSWER SECTION:
mail2.epd.gov.hk. 600 IN A 202.73.1.100

;; Query time: 566 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Nov 18 15:08:03 CST 2019
;; MSG SIZE  rcvd: 61




Alex Dupuy於 2019年11月16日星期六 UTC+8上午7時10分35秒寫道:

Alex Dupuy

unread,
Nov 18, 2019, 9:17:41 AM11/18/19
to public-dns-discuss
I suspect the problems you were having with these queries were related to your turn up of two additional name servers. I see you also added an IPv6 address for one of your existing name servers - these are both very good things). https://dnsviz.net/d/epd.gov.hk/dnssec/ is still showing a problem with the new servers not having the (old?) DNSKEY, but I am able to resolve both the www.epd.gov.hk A record with CNAME chain and the MX IP addresses for mail2.epd.gov.hk now.
Reply all
Reply to author
Forward
0 new messages