On Mon, May 25, 2020 at 04:46:15PM -0400, Dave Burkholder via Pdns-users wrote:
> I did wonder too if there's an issue of reaching root servers, or firewall
> modifying responses, so I did try installing unbound on the same machine,
> and it's working fine. unbound on port 3053 always works, but pdns on
> port 2053 always FAIL.
Your network is faulty:
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] com: Trying IP
202.12.27.33:53, asking 'com|A'
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] com: Got 0 answers
from m.root-servers.net (202.12.27.33), rcode=0 (No Error), aa=0, in 6ms
If it happens to work for unbound, well, good luck there. But as long as
someone is intercepting your traffic to the root servers and modifying it,
all bets are off.
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] reddit.com: Trying IP
192.58.128.30:53, asking 'reddit.com|A'
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] reddit.com: Got 4
answers from j.root-servers.net (192.58.128.30), rcode=0 (No Error), aa=0, in
62ms
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record
'reddit.com|A|151.101.1.140' in the answer section without the AA bit set
received from .
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record
'reddit.com|A|151.101.193.140' in the answer section without the AA bit set
received from .
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record
'reddit.com|A|151.101.65.140' in the answer section without the AA bit set
received from .
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record
'reddit.com|A|151.101.129.140' in the answer section without the AA bit set
received from .
This is also a clear indication someone is intercepting and breaking your
traffic to root servers. The real J-root will not answer with IP addresses
for reddit.com.
Bert
>
> Regards,
>
> Dave
>
> On 5/25/20 4:04 PM, bert hubert wrote:
> >On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users
> >wrote:
> >>When I enable trace, I get lines like:
> >>
> >>May 25 15:36:44 system.cdc.lan
pdns_recursor[16801]: [2] bing.com: Got 3 answers from b.root-servers.net
(199.9.14.201), rcode=0 (No Error), aa=0, in 6ms
> >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record
> >>'bing.com|A|204.79.197.200' in the answer section without the AA bit set
> >>received from .
> >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record
> >>'bing.com|A|13.107.21.200' in the answer section without the AA bit set
> >>received from .
> >Could you please send a complete output of trace? It appears someone is
> >intercepting and changing your DNS responses.
> >
> >Thanks!
> >
> > Bert
> >
> _______________________________________________
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
