I have two configured bind9 DNS server behind a load balancer. Since two weeks they are not able to resolve any .pl domain name.
root@arc01:/etc/bind# dig www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> www.google.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64571
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.pl. IN A
;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 31 16:06:39 CEST 2021
;; MSG SIZE rcvd: 42
all other (tested a ~10) top-level domains work without problem.
It seems that the server has a problem to connect to polish root name server:
root@arc01:/etc/bind# dig +trace +dnssec -4 www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> +trace +dnssec -4 www.google.pl
;; global options: +cmd
. 515765 IN NS m.root-servers.net.
. 515765 IN NS e.root-servers.net.
. 515765 IN NS b.root-servers.net.
. 515765 IN NS i.root-servers.net.
. 515765 IN NS l.root-servers.net.
. 515765 IN NS g.root-servers.net.
. 515765 IN NS c.root-servers.net.
. 515765 IN NS d.root-servers.net.
. 515765 IN NS k.root-servers.net.
. 515765 IN NS j.root-servers.net.
. 515765 IN NS h.root-servers.net.
. 515765 IN NS a.root-servers.net.
. 515765 IN NS f.root-servers.net.
. 518377 IN RRSIG NS 8 0 518400 20210613050000 20210531040000 14631 . bGi7CZJIdWLRScZDRv7wJ1ea7bQYNDph0Bfax9HgfaKjKsMQtxEKIUP2 gGOWuxgt1rfnkvLsaMsfNhYpTvdzjEuMpQoBtC02ORAjBNSJp6sN570f fqEADaCX+Ff6nTCI0BwfV+zf3pI+1YZ0r+GC7JEGdvy35F3HiKpDdF/P kUfuiiq0dgCDg2F8kXsS9HVaBT+M/kkvZa/5mI7mrC0WBr1ydux8QNNC eLNPLjrMyIoQTiTq0bwDk6neOsULJu7Ukwj/qscDmbmZtREU9OuxbV/y Apkfupa6Fej7gFJOk5vJ+NmzAZdvSHGMjMMgknsCXcbBc2VWQegHvRwv 4qQV/w==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
pl. 172800 IN NS a-dns.pl.
pl. 172800 IN NS b-dns.pl.
pl. 172800 IN NS d-dns.pl.
pl. 172800 IN NS e-dns.pl.
pl. 172800 IN NS f-dns.pl.
pl. 172800 IN NS g-dns.pl.
pl. 172800 IN NS h-dns.pl.
pl. 172800 IN NS i-dns.pl.
pl. 86400 IN DS 51352 8 2 C4282918DE616A9E3BFFEC1F0652A41CF73DB7EF7F5785DB7359E9E5 9D40048C
pl. 86400 IN RRSIG DS 8 1 86400 20210613050000 20210531040000 14631 . URLj955qcr6Knn4L6U9AqIPEhWkN+2DyNZ1m24CUjxg/g5jwtREuQAMo r5LLK0cyrwTtFX4lEzr8DkOl11upGd7jyg7Wkydg6UWxC5VkFjcIsaOG X3kJlZ1cHvkOL9GE0XUPyKk1jyhDAvziYNvljiGtuBmZktY+nS4Mowg3 zNZirsj9TARfhhbYrL4zvZu11kew6J6z6TxU3BCD3/1SEhIPY+hlKjAl ka22+F/e1eQnSybx3RAK2peDj+LbmfwObF2+qsW2EVJEqlcM1ixxQqtw 9h8X8eQ8AtbqRGF4Ms0QyAkMgWk7hRdsPAOk79goySjrUBw6baaUYA0j EZAWcQ==
dig: couldn't get address for 'a-dns.pl': no more
but if I try to ask a-dns.pl directly, it works:
root@arc01:/etc/bind# dig @m.root-servers.net a-dns.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> @m.root-servers.net dns-a.pl
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55853
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns-a.pl. IN A
;; AUTHORITY SECTION:
pl. 172800 IN NS i-dns.pl.
pl. 172800 IN NS a-dns.pl.
pl. 172800 IN NS b-dns.pl.
pl. 172800 IN NS g-dns.pl.
pl. 172800 IN NS h-dns.pl.
pl. 172800 IN NS f-dns.pl.
pl. 172800 IN NS e-dns.pl.
pl. 172800 IN NS d-dns.pl.
;; ADDITIONAL SECTION:
a-dns.pl. 172800 IN A 194.181.87.156
b-dns.pl. 172800 IN A 192.195.72.53
d-dns.pl. 172800 IN A 185.159.197.48
e-dns.pl. 172800 IN A 46.28.245.82
f-dns.pl. 172800 IN A 194.0.25.29
g-dns.pl. 172800 IN A 149.156.1.252
h-dns.pl. 172800 IN A 185.159.198.48
i-dns.pl. 172800 IN A 156.154.100.15
a-dns.pl. 172800 IN AAAA 2001:a10:121:1::156
b-dns.pl. 172800 IN AAAA 2001:7f9:c::53
d-dns.pl. 172800 IN AAAA 2620:10a:80aa::48
f-dns.pl. 172800 IN AAAA 2001:678:20::29
g-dns.pl. 172800 IN AAAA 2001:6d8:1001:1::252
h-dns.pl. 172800 IN AAAA 2620:10a:80ab::48
i-dns.pl. 172800 IN AAAA 2001:502:2eda::15
;; Query time: 15 msec
;; SERVER: 202.12.27.33#53(202.12.27.33)
;; WHEN: Mon May 31 16:11:10 CEST 2021
;; MSG SIZE rcvd: 521
root@arc01:/etc/bind# dig @194.181.87.156 www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> @194.181.87.156 www.google.pl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21146
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.pl. IN A
;; AUTHORITY SECTION:
google.pl. 86400 IN NS ns1.google.com.
google.pl. 86400 IN NS ns2.google.com.
google.pl. 86400 IN NS ns3.google.com.
google.pl. 86400 IN NS ns4.google.com.
;; Query time: 19 msec
;; SERVER: 194.181.87.156#53(194.181.87.156)
;; WHEN: Mon May 31 16:13:00 CEST 2021
;; MSG SIZE rcvd: 124
My server should get the IP for a-dns.pl from root name server additional section, but this doesn't seems to work.
changes to fix the issue (without success):
- restarting bind
- implementing a configuration from a time, where is was still working
- updating root hints
- tcpdump to check network traffic (there seems to be no additional information)
To make it more wired, it is restricted to .pl domains only... Any suggestions are very welcome...
Request:
root@arc01:~# dig www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> www.google.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42641
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.pl. IN A
;; Query time: 5540 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 31 20:04:21 CEST 2021
;; MSG SIZE rcvd: 42
Log entries:
31-May-2021 20:04:15.937 queries: info: client 127.0.0.1#45782 (www.google.pl): view internal: query: www.google.pl IN A +E (127.0.0.1)
31-May-2021 20:04:17.937 queries: info: client 172.x.x.x#34880 (www.google.pl): view internal: query: www.google.pl IN A +E (172.x.x.x)
31-May-2021 20:04:21.477 dnssec: info: validating @0x7f0d8c985740: www.google.pl A: bad cache hit (google.pl/DS)
Something like this might be source of the problem: https://kb.isc.org/docs/aa-00912 Bind9: DNS resolution temporary lost
I tried configuration options combination dnssec-enable, dnssec-validation ("yes" to "no") combined with an rndc flush && service bind9 restart, but it didn't helped.
Update 2: It is a validation problem. Using dig +cd works:
root@arc01:~# dig +cd www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> +cd www.google.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28904
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.pl. IN A
;; ANSWER SECTION:
www.google.pl. 216 IN A 172.217.18.99
;; AUTHORITY SECTION:
google.pl. 60975 IN NS ns1.google.com.
google.pl. 60975 IN NS ns3.google.com.
google.pl. 60975 IN NS ns2.google.com.
google.pl. 60975 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 320030 IN A 216.239.32.10
ns1.google.com. 320030 IN AAAA 2001:4860:4802:32::a
ns2.google.com. 320030 IN A 216.239.34.10
ns2.google.com. 320030 IN AAAA 2001:4860:4802:34::a
ns3.google.com. 320030 IN A 216.239.36.10
ns3.google.com. 320030 IN AAAA 2001:4860:4802:36::a
ns4.google.com. 320030 IN A 216.239.38.10
ns4.google.com. 320030 IN AAAA 2001:4860:4802:38::a
;; Query time: 1 msec
;; SERVER: 192.168.32.17#53(192.168.32.17)
;; WHEN: Mon May 31 21:28:40 CEST 2021
;; MSG SIZE rcvd: 316
Will continue tomorrow...
