Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SERVFAIL on IPv6 tunnelbroker network

98 views
Skip to first unread message

Patrik

unread,
Jul 25, 2018, 1:53:15 AM7/25/18
to bind-...@lists.isc.org
Hello!

How are you?
I started having a problem with BIND9. Something must have changed, because I start getting SERVFAIL a lot.
Looks like this:
25-Jul-2018 07:44:09.647 client @0x7fa268223c10 192.168.78.30#56577 (aax-eu.amazon-adsystem.com): view internal-enp1s0f3: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 07:44:09.647 client @0x7fa2380e1ea0 192.168.81.30#41771 (aax-eu.amazon-adsystem.com): view internal-enp1s0f2: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 07:44:09.647 client @0x7fa2440c7ef0 2001:470:1f1b:5b3::b4a#41516 (aax-eu.amazon-adsystem.com): view internal-enp1s0f3: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 07:44:09.647 client @0x7fa2380e1ea0 192.168.81.30#41771 (aax-eu.amazon-adsystem.com): view internal-enp1s0f2: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 07:44:09.648 client @0x7fa2440c7ef0 2001:470:1f1b:5b3::b4a#41516 (aax-eu.amazon-adsystem.com): view internal-enp1s0f3: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 07:44:09.648 client @0x7fa2340836e0 2001:470:1f1b:5b5::b4a#50353 (aax-eu.amazon-adsystem.com): view internal-enp1s0f2: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 07:44:09.648 client @0x7fa2440c7ef0 2001:470:1f1b:5b5::b4a#50353 (aax-eu.amazon-adsystem.com): view internal-enp1s0f2: query failed (SERVFAIL) for aax-eu.amazon-adsystem.com/IN/AAAA at ../../../bin/named/query.c:6885

To me, it looks like, the requests try the AAAA ipv6 addresses but they are not in IPv6 and because of that it gives a SERVFAIL.
Is there a way to give a priority to the BIND9 request before the IPv6 and first try the IPv4 and if there is no IPv4 result, then try IPv6. Because now, it gives a few SERVFAIL (I have to refresh the browser, to make it work to get), I guess, get the IPv4 if only works after a few refreshes.
Even, if I do a dig on it iit shows, there is no AAAA:
root@server:/etc/nginx/sites-enabled# dig aax-eu.amazon-adsystem.com

; <<>> DiG 9.11.3-2-Debian <<>> aax-eu.amazon-adsystem.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27021
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e45e832118506bb5a0758eeb5b580e51c9b57c8a8d971011 (good)
;; QUESTION SECTION:

;; ANSWER SECTION:
aax-eu.amazon-adsystem.com. 60 IN A 52.94.216.48

;; AUTHORITY SECTION:

;; Query time: 52 msec
;; SERVER: 192.168.78.20#53(192.168.78.20)
;; WHEN: Wed Jul 25 07:44:49 CEST 2018
;; MSG SIZE  rcvd: 232

Is there any solution for this? It just started happening in the last week.

Patrik
WWW | GitHub | NPM | Corifeus | +36 20 342 8046


Dns Admin

unread,
Jul 25, 2018, 2:04:46 AM7/25/18
to bind-...@lists.isc.org

Hi Patrik,

I don't see any SERVFAIL querying for this AAAA record.  maybe your "internal-enp1s0f3" view is configured to bump this domain?

Kind Regards Peter

dig aax-eu.amazon-adsystem.com aaaa

; <<>> DiG 9.10.2-P4 <<>> aax-eu.amazon-adsystem.com aaaa


;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32650
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1



;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:
;aax-eu.amazon-adsystem.com.    IN      AAAA

;; AUTHORITY SECTION:
aax-eu.amazon-adsystem.com. 60  IN      SOA     ns-924.amazon.com. root.amazon.com. 1532498091 3600 900 7776000 60

;; Query time: 67 msec
;; SERVER: 205.166.94.20#53(205.166.94.20)
;; WHEN: Wed Jul 25 05:59:58 UTC 2018
;; MSG SIZE  rcvd: 110

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Patrik

unread,
Jul 25, 2018, 2:08:45 AM7/25/18
to dnsa...@gmail.com, bind-...@lists.isc.org
Hello!
Thank you very much.
So what do you mean "internal-enp1s0f3" view is configured to bump this domain?
Is this a setting?

It looks like this for my views:
view "internal-enp1s0f3" {
    match-clients { "internal-enp1s0f3"; };
    match-recursive-only yes;
    recursion yes;
    allow-recursion { "internal-enp1s0f3"; };
 
    notify yes;
    allow-update { none; };
    allow-query { any; };
    allow-transfer { xfer; };
    include "/etc/bind/named.conf.default-zones";

    zone "patrikx3.com" {
        type master;
        file "/etc/bind/zones/enp1s0f3/patrikx3.com";
        include "/var/lib/samba/private/named.conf.update";
    };

    zone "corifeus.com" {
        type master;
        file "/etc/bind/zones/enp1s0f3/corifeus.com";
    };

    include "/var/lib/samba/private/named.conf";

};


view "internal-enp1s0f2" {
    match-clients { "internal-enp1s0f2"; };
    match-recursive-only yes;
    recursion yes;
    allow-recursion { "internal-enp1s0f2"; };
     notify yes;
    allow-update { none; };
    allow-query { any; };
    allow-transfer { xfer; };

    include "/etc/bind/named.conf.default-zones";

    zone "patrikx3.com" {
        type master;
        file "/etc/bind/zones/enp1s0f2/patrikx3.com";
//        include "/var/lib/samba/private/named.conf.update";
    };

    zone "corifeus.com" {
        type master;
        file "/etc/bind/zones/enp1s0f2/corifeus.com";
    };

//    include "/var/lib/samba/private/named.conf";

};


view "external" {
    match-clients { any; };

    recursion no;
    additional-from-auth no;
    additional-from-cache no;

//    allow-transfer { any; }; // temporarily allowed for debugging purposes
    allow-transfer { none; }; 

//    zone "namesystem.tk" IN {
//        type master;
//        file "/etc/bind/zones/external.namesystem.tk";
//    };
};


Patrik
WWW | GitHub | NPM | Corifeus | +36 20 342 8046



Mark Andrews

unread,
Jul 25, 2018, 2:18:04 AM7/25/18
to Patrik, bind-...@lists.isc.org
So what do you get to this command when run on the recursive server?

dig aax-eu.amazon-adsystem.com aaaa @ns-911.amazon.com +dnssec +norec

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Patrik

unread,
Jul 25, 2018, 2:19:51 AM7/25/18
to ma...@isc.org, bind-...@lists.isc.org
root@server:~# dig aax-eu.amazon-adsystem.com aaaa @ns-911.amazon.com +dnssec +norec

; <<>> DiG 9.11.3-2-Debian <<>> aax-eu.amazon-adsystem.com aaaa @ns-911.amazon.com +dnssec +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49254
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;aax-eu.amazon-adsystem.com. IN AAAA

;; AUTHORITY SECTION:
aax-eu.amazon-adsystem.com. 60 IN SOA ns-947.amazon.com. root.amazon.com. 1532498716 3600 900 7776000 60

;; Query time: 173 msec
;; SERVER: 52.9.140.222#53(52.9.140.222)
;; WHEN: Wed Jul 25 08:18:23 CEST 2018
;; MSG SIZE  rcvd: 99

root@server:~# 

I looks OKAY, but as I sent a previous 2nd e-mail it fails and the log shows. Very weird.

Patrik
WWW | GitHub | NPM | Corifeus | +36 20 342 8046



Patrik

unread,
Jul 25, 2018, 6:09:08 AM7/25/18
to ma...@isc.org, bind-...@lists.isc.org

Patrik

unread,
Jul 25, 2018, 6:09:29 AM7/25/18
to dnsa...@gmail.com, bind-...@lists.isc.org

Dns Admin

unread,
Jul 25, 2018, 6:16:55 AM7/25/18
to Patrik, bind-...@lists.isc.org

Hi Patrik,

192.168.81.20 appears to be matched to the  internal-enp1s0f3 view.
This view might not be able to resolve these external dns entries correctly

what do you get when you try

dig @192.168.81.20 com soa

and

dig @192.168.81.20 production.cloudflare.docker.com +trace

Kind Regards Peter

Patrik

unread,
Jul 25, 2018, 6:26:18 AM7/25/18
to dnsa...@gmail.com, bind-...@lists.isc.org
Is it possible that I have 2 routers on 1 server and 2 views? Should I just use 1 connection to the same server?
I connect to to internet connection 1 for me downloading etc, and 1 for the input for web, email, etc...
But I connected 2. The big problem is that I cannot turn off the server 2nd view, I need exactly the 2 views and I still get a SERVFAIL, but after I do it again, it will work, or on my workstation I have to refresh the browser like many times.
Plus by now it cached my ip address, this is what is weird, that the first time it is like that SERVFAIL and I have know idea what it is doing.
Eg , the log:
25-Jul-2018 09:18:27.737 client @0x7faa8c062b10 192.168.78.30#55939 (ipv4.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv4.nop.hu/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 09:18:27.738 client @0x7faa8c062b10 192.168.78.30#55939 (ipv4.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv4.nop.hu/IN/AAAA at ../../../bin/named/query.c:6885
25-Jul-2018 09:18:28.401 client @0x7faa8c062b10 192.168.78.30#50670 (ipv6.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv6.nop.hu/IN/A at ../../../bin/named/query.c:8402
25-Jul-2018 09:18:28.401 client @0x7faac0184500 192.168.78.30#50670 (ipv6.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv6.nop.hu/IN/A at ../../../bin/named/query.c:6885
25-Jul-2018 09:18:28.402 client @0x7faa8c034d00 2001:470:1f1b:5b3::b4a#41540 (ipv6.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv6.nop.hu/IN/A at ../../../bin/named/query.c:6885


So as you told me to do it as:

patrikx3@workstation:/media/linux-nvme/home/patrikx3$ dig @192.168.81.20 com soa 

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @192.168.81.20 com soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43117
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2f5d97d5314b65c4037161895b584e70ccafb7ee026ea3d0 (good)
;; QUESTION SECTION:
;com. IN SOA

;; ANSWER SECTION:
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1532513892 1800 900 604800 86400

;; AUTHORITY SECTION:
. 10083 IN NS f.root-servers.net.
. 10083 IN NS k.root-servers.net.
. 10083 IN NS e.root-servers.net.
. 10083 IN NS m.root-servers.net.
. 10083 IN NS a.root-servers.net.
. 10083 IN NS j.root-servers.net.
. 10083 IN NS i.root-servers.net.
. 10083 IN NS g.root-servers.net.
. 10083 IN NS d.root-servers.net.
. 10083 IN NS c.root-servers.net.
. 10083 IN NS h.root-servers.net.
. 10083 IN NS l.root-servers.net.
. 10083 IN NS b.root-servers.net.

;; Query time: 34 msec
;; SERVER: 192.168.81.20#53(192.168.81.20)
;; WHEN: Wed Jul 25 12:18:24 CEST 2018
;; MSG SIZE  rcvd: 341

patrikx3@workstation:/media/linux-nvme/home/patrikx3$ dig @192.168.81.20 production.cloudflare.docker.com +trace

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @192.168.81.20 production.cloudflare.docker.com +trace
; (1 server found)
;; global options: +cmd
;; Received 56 bytes from 192.168.81.20#53(192.168.81.20) in 0 ms

patrikx3@workstation:/media/linux-nvme/home/patrikx3$ 
0 new messages