Re: Strange DNS problem
Thanks > On 13 Jun 2019, at 1:17 am, Rune Hassel wrote: > > Hi! > > This problem should now be completely resolved. > > Regards > Rune Hassel > > > -Original Message- > From: Mark Andrews > Sent: Tuesday, June 11, 2019 6:08 AM > To: Jukka Pakkanen > Cc: Stephane Bortzmeyer ; c...@cam.ac.uk; > bind-us...@isc.org; hostmas...@datatower.fi > Subject: Re: Strange DNS problem > > You solve that by complaining to the operators of the servers that their DNS > servers mis-implement DNS COOKIE (RFC 7873) and could they request a fix from > their DNS vendor. > > Not that they make things easy to contact them. No email in whois. Just a > PO box and a phone number and I don’t intend to call it from here. > > name...: DATATOWER AB > register number: 0708753-2 > address: PB 144 > address: 67101 > address: KOKKOLA > country: Finland > phone..: +358 20 7789 564 > holder email...: > > https://datatower.fi is just a login form with a bad CERT (for > mail.datatower.fi). > > Mark > >> On 11 Jun 2019, at 4:36 am, Jukka Pakkanen wrote: >> >> Yeah, another advertising company turned to an ISP... >> >> Solved *our* problem now by including the suggested server clause for both >> of their broken servers, to our servers. Of course does not solve the real >> problem, the broken servers of theirs. >> >> Thanks for help. >> >> Jukka >> >> -Original Message- >> From: Stephane Bortzmeyer >> Sent: 10. kesäkuuta 2019 20:01 >> To: Jukka Pakkanen >> Cc: c...@cam.ac.uk; bind-us...@isc.org >> Subject: Re: Strange DNS problem >> >> On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen >> wrote a message of 58 lines which said: >> >>> Then, unfortunately our nameservers won't resolve ns.kpk.fi either. >> >> Same authoritative name server, same problem. See my email. >> >> % dig @ns.datatower.fi. NS kpk.fi. >> >> ;; Warning: Client COOKIE mismatch >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
You solve that by complaining to the operators of the servers that their DNS servers mis-implement DNS COOKIE (RFC 7873) and could they request a fix from their DNS vendor. Not that they make things easy to contact them. No email in whois. Just a PO box and a phone number and I don’t intend to call it from here. name...: DATATOWER AB register number: 0708753-2 address: PB 144 address: 67101 address: KOKKOLA country: Finland phone..: +358 20 7789 564 holder email...: https://datatower.fi is just a login form with a bad CERT (for mail.datatower.fi). Mark > On 11 Jun 2019, at 4:36 am, Jukka Pakkanen wrote: > > Yeah, another advertising company turned to an ISP... > > Solved *our* problem now by including the suggested server clause for both of > their broken servers, to our servers. Of course does not solve the real > problem, the broken servers of theirs. > > Thanks for help. > > Jukka > > -Original Message- > From: Stephane Bortzmeyer > Sent: 10. kesäkuuta 2019 20:01 > To: Jukka Pakkanen > Cc: c...@cam.ac.uk; bind-us...@isc.org > Subject: Re: Strange DNS problem > > On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen > wrote a message of 58 lines which said: > >> Then, unfortunately our nameservers won't resolve ns.kpk.fi either. > > Same authoritative name server, same problem. See my email. > > % dig @ns.datatower.fi. NS kpk.fi. > > ;; Warning: Client COOKIE mismatch > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Strange DNS problem
Yeah, another advertising company turned to an ISP... Solved *our* problem now by including the suggested server clause for both of their broken servers, to our servers. Of course does not solve the real problem, the broken servers of theirs. Thanks for help. Jukka -Original Message- From: Stephane Bortzmeyer Sent: 10. kesäkuuta 2019 20:01 To: Jukka Pakkanen Cc: c...@cam.ac.uk; bind-us...@isc.org Subject: Re: Strange DNS problem On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE mismatch ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
On Mon, Jun 10, 2019 at 05:43:02PM +, Jukka Pakkanen wrote a message of 58 lines which said: > Then, unfortunately our nameservers won't resolve ns.kpk.fi either. Same authoritative name server, same problem. See my email. % dig @ns.datatower.fi. NS kpk.fi. ;; Warning: Client COOKIE mismatch ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Strange DNS problem
-Original Message- From: Chris Thompson On Behalf Of Chris Thompson Sent: 10. kesäkuuta 2019 17:30 To: Jukka Pakkanen Cc: bind-us...@isc.org Subject: Re: Strange DNS problem On Jun 10 2019, Jukka Pakkanen wrote: >We have a strange problem related to DNS services, maybe someone here >have a clue what could be the problem. […] >An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: >; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 >server found) ;; global options: +cmd ;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr >aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: >recursion requested but not available > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk Then, unfortunately our nameservers won't resolve ns.kpk.fi either. So even if the fall back works, as I suppose it does, it does not help here. ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; Query time: 0 msec ;; SERVER: 62.142.220.5#53(62.142.220.5) ;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 66 And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer: ; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ef9a3009864a202e5dfe5cfe9648adfe8be2561def4d (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; Query time: 31 msec ;; SERVER: 192.130.183.74#53(192.130.183.74) ;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 82 Jukka Maybe because the "lue.keskipohjanmaa.com" NS server for this kpk.fi domain, also seems to be having this cookie problem: ;; Warning: Client COOKIE mismatch ; <<>> DiG 9.14.2 <<>> @192.130.183.69 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39629 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a0ffec004f65b471e0b8b271e7bab2718129c071 (bad) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; AUTHORITY SECTION: kpk.fi. 600 IN NS lue.keskipohjanmaa.com. kpk.fi. 600 IN NS ns.datatower.fi. ;; ADDITIONAL SECTION: ns.datatower.fi.3600IN A 193.184.54.212 lue.keskipohjanmaa.com. 3600IN A 192.130.183.69 ;; Query time: 31 msec ;; SERVER: 192.130.183.69#53(192.130.183.69) ;; WHEN: Mon Jun 10 20:59:44 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 177 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Strange DNS problem
-Original Message- From: Chris Thompson On Behalf Of Chris Thompson Sent: 10. kesäkuuta 2019 17:30 To: Jukka Pakkanen Cc: bind-us...@isc.org Subject: Re: Strange DNS problem On Jun 10 2019, Jukka Pakkanen wrote: >We have a strange problem related to DNS services, maybe someone here >have a clue what could be the problem. […] >An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: >; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 >server found) ;; global options: +cmd ;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr >aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: >recursion requested but not available > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 4096 >; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk Then, unfortunately our nameservers won't resolve ns.kpk.fi either. So even if the fall back works, as I suppose it does, it does not help here. ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64299 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5fdcace005523ca0f1b0c9c95cfe96f17497773ef05635e1 (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; Query time: 0 msec ;; SERVER: 62.142.220.5#53(62.142.220.5) ;; WHEN: Mon Jun 10 20:44:17 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 66 And again when inquiring directly with the IP of ns.kpk.fi, we do get an answer: ; <<>> DiG 9.14.2 <<>> @192.130.183.74 ns.kpk.fi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50365 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ef9a3009864a202e5dfe5cfe9648adfe8be2561def4d (good) ;; QUESTION SECTION: ;ns.kpk.fi. IN A ;; ANSWER SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ;; Query time: 31 msec ;; SERVER: 192.130.183.74#53(192.130.183.74) ;; WHEN: Mon Jun 10 20:45:48 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 82 Jukka ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
On Jun 10 2019, Jukka Pakkanen wrote: We have a strange problem related to DNS services, maybe someone here have a clue what could be the problem. […] An example, the client domain is raimoasikainenoy.fi. Well, there is certainly something wrong with ns.datatower.fi [193.184.54.212], as it consistently returns server cookies that bear no relationship to the client cookie sent in the query, and in fact I get *exactly* the same one as you report: ; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) every time! (Use +qr to show the client cookie sent by dig.) I expect you could work around this by specifying server 193.184.54.212 { send-cookie no; }; in your named.conf, but it seems to me that BIND 9.14 ought to be able to fall back on using ns.kpk.fi [192.130.183.74] which doesn't have this server cookie problem. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DNS problem
On Mon, Jun 10, 2019 at 02:28:46PM +, Jukka Pakkanen wrote a message of 382 lines which said: > An example, the client domain is raimoasikainenoy.fi. dig clearly says it's a cookie issue: % dig @193.184.54.212 NS raimoasikainenoy.fi ;; Warning: Client COOKIE mismatch An DNSviz confirms: http://dnsviz.net/d/raimoasikainenoy.fi/dnssec/ Your tests show that it fails only when you use cookies, which is consistent with the above: > ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi raimoasikainenoy.fi ns ... > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 55ba199a6d905273458bc2065cfe655462f150936d882603 (good) > ; <<>> DiG 9.14.2 <<>> @8.8.8.8 raimoasikainenoy.fi ns ... > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 (Bad Google, no cookies) So, they have broken authoritative name servers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange DNS problem
We have a strange problem related to DNS services, maybe someone here have a clue what could be the problem. We are running BIND 9.14.2 in several servers, ns1.qnet.fi, ns2.qnet.fi etc. Everything else works fine, but with one small operator (actually a mediahouse), we can not get any replies to DNS queries from them. First thought it is a routing problem somewhere, but inquiring those servers with IP works, so can not be. An example, the client domain is raimoasikainenoy.fi. ; <<>> DiG 9.14.2 <<>> @ns1.qnet.fi raimoasikainenoy.fi ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15578 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 55ba199a6d905273458bc2065cfe655462f150936d882603 (good) ;; QUESTION SECTION: ;raimoasikainenoy.fi. IN NS ;; Query time: 4999 msec ;; SERVER: 62.142.220.5#53(62.142.220.5) ;; WHEN: Mon Jun 10 17:12:36 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 76 >From our own providers nameservers it works however, also tested ok from a >couple other operators: ; <<>> DiG 9.14.2 <<>> @8.8.8.8 raimoasikainenoy.fi ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47848 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;raimoasikainenoy.fi. IN NS ;; ANSWER SECTION: raimoasikainenoy.fi. 3599IN NS ns.kpk.fi. raimoasikainenoy.fi. 3599IN NS ns.datatower.fi. ;; Query time: 78 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Jun 10 17:14:11 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 96 Then testing from our network again, inquiring from ns.kpk.fi or ns.datatower.fi not working, our server cannot resolve those names. But when inquiring with IP 193.184.54.212 (ns.datatower.fi): ;; Warning: Client COOKIE mismatch ; <<>> DiG 9.14.2 <<>> @193.184.54.212 raimoasikainenoy.fi ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14591 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: a0ff0c014f65b471e0b8b271e7bab2718129c071 (bad) ;; QUESTION SECTION: ;raimoasikainenoy.fi. IN NS ;; ANSWER SECTION: raimoasikainenoy.fi. 3600IN NS ns.datatower.fi. raimoasikainenoy.fi. 3600IN NS ns.kpk.fi. ;; ADDITIONAL SECTION: ns.kpk.fi. 600 IN A 192.130.183.74 ns.datatower.fi. 3600IN A 193.184.54.212 ;; Query time: 15 msec ;; SERVER: 193.184.54.212#53(193.184.54.212) ;; WHEN: Mon Jun 10 17:17:50 FLE Daylight Time 2019 ;; MSG SIZE rcvd: 156 So what can it be?? To every other operator/network our inquiries work fine, have been working 25 years :) But only to this "operator" not. Our servers cannot resolve the name of their servers, even it can do it when inquiring their servers directly by servers IP addresses. Their NS records in the fi-root look little suspicious, like some of the servers lacked glue records, but not sure about that. Jukka Pakkanen Q-Net Oy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users