Re: [Pdns-users] SERVFAIL on all requests
On Mon, May 25, 2020 at 04:46:15PM -0400, Dave Burkholder via Pdns-users wrote: > I did wonder too if there's an issue of reaching root servers, or firewall > modifying responses, so I did try installing unbound on the same machine, > and it's working fine. unbound on port 3053 always works, but pdns on > port 2053 always FAIL. Your network is faulty: May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] com: Trying IP 202.12.27.33:53, asking 'com|A' May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] com: Got 0 answers from m.root-servers.net (202.12.27.33), rcode=0 (No Error), aa=0, in 6ms If it happens to work for unbound, well, good luck there. But as long as someone is intercepting your traffic to the root servers and modifying it, all bets are off. May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] reddit.com: Trying IP 192.58.128.30:53, asking 'reddit.com|A' May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] reddit.com: Got 4 answers from j.root-servers.net (192.58.128.30), rcode=0 (No Error), aa=0, in 62ms May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.1.140' in the answer section without the AA bit set received from . May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.193.140' in the answer section without the AA bit set received from . May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.65.140' in the answer section without the AA bit set received from . May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.129.140' in the answer section without the AA bit set received from . This is also a clear indication someone is intercepting and breaking your traffic to root servers. The real J-root will not answer with IP addresses for reddit.com. Bert > > Regards, > > Dave > > On 5/25/20 4:04 PM, bert hubert wrote: > >On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users > >wrote: > >>When I enable trace, I get lines like: > >> > >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] bing.com: Got 3 answers from b.root-servers.net (199.9.14.201), rcode=0 (No Error), aa=0, in 6ms > >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record > >>'bing.com|A|204.79.197.200' in the answer section without the AA bit set > >>received from . > >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record > >>'bing.com|A|13.107.21.200' in the answer section without the AA bit set > >>received from . > >Could you please send a complete output of trace? It appears someone is > >intercepting and changing your DNS responses. > > > >Thanks! > > > > Bert > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on all requests
Hello Bert, Here's a link to the trace https://code.compassfoundation.io/snippets/9 I did wonder too if there's an issue of reaching root servers, or firewall modifying responses, so I did try installing unbound on the same machine, and it's working fine. unbound on port 3053 always works, but pdns on port 2053 always FAIL. Regards, Dave On 5/25/20 4:04 PM, bert hubert wrote: On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users wrote: When I enable trace, I get lines like: May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] bing.com: Got 3 answers from b.root-servers.net (199.9.14.201), rcode=0 (No Error), aa=0, in 6ms May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record 'bing.com|A|204.79.197.200' in the answer section without the AA bit set received from . May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record 'bing.com|A|13.107.21.200' in the answer section without the AA bit set received from . Could you please send a complete output of trace? It appears someone is intercepting and changing your DNS responses. Thanks! Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on all requests
On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users wrote: > When I enable trace, I get lines like: > > May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] bing.com: Got 3 > answers from b.root-servers.net (199.9.14.201), rcode=0 (No Error), aa=0, in > 6ms > May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record > 'bing.com|A|204.79.197.200' in the answer section without the AA bit set > received from . > May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record > 'bing.com|A|13.107.21.200' in the answer section without the AA bit set > received from . Could you please send a complete output of trace? It appears someone is intercepting and changing your DNS responses. Thanks! Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] SERVFAIL on all requests
Hello everyone, I'm trying to get pdns-recursor 4.3.1 to work at all on a Centos7 machine. When restarting the service, I got logs like: May 25 15:26:40 system.cdc.lan pdns_recursor[11520]: Exception while performing security poll: more than 100 (max-qperq) queries sent while resolving powerdns.com So I tripled max-qperq value and restarted pdns-recursor, and now get logs like: May 25 15:31:40 system.cdc.lan pdns_recursor[14524]: Enabled 'epoll' multiplexer May 25 15:31:40 system.cdc.lan pdns_recursor[14524]: Done priming cache with root hints May 25 15:31:40 system.cdc.lan pdns_recursor[14524]: Done priming cache with root hints May 25 15:31:51 system.cdc.lan pdns_recursor[14524]: Exception while performing security poll: Too much time waiting for 3.1.security-status.secpoll.powerdns.com|DS, timeouts: 0, throttles: 195, queries: 62, 7009msec If I do a lookup for lxer.com, I get logs like: May 25 15:33:56 system.cdc.lan pdns_recursor[14524]: 2 [1/1] question for 'lxer.com|A' from 127.0.0.1:34253 May 25 15:33:56 system.cdc.lan pdns_recursor[14524]: 2 [1/1] answer to question 'lxer.com|A': 0 answers, 1 additional, took 26 packets, 262.302 netw ms, 265.788 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=2 When I enable trace, I get lines like: May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] bing.com: Got 3 answers from b.root-servers.net (199.9.14.201), rcode=0 (No Error), aa=0, in 6ms May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record 'bing.com|A|204.79.197.200' in the answer section without the AA bit set received from . May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record 'bing.com|A|13.107.21.200' in the answer section without the AA bit set received from . May 25 15:55:15 system.cdc.lan pdns_recursor[16801]: [8] dell.com: Got 3 answers from j.root-servers.net (192.58.128.30), rcode=0 (No Error), aa=0, in 7ms May 25 15:55:15 system.cdc.lan pdns_recursor[16801]: [8] Removing record 'dell.com|A|143.166.135.105' in the answer section without the AA bit set received from . May 25 15:55:15 system.cdc.lan pdns_recursor[16801]: [8] Removing record 'dell.com|A|143.166.147.101' in the answer section without the AA bit set received from It looks to me like pdns is _removing_ the correct answer -- that is, on my network, dell.com *should *resolve to 143.166.147.101,and bing *should *resolve to 13.107.21.200. I'm at my wit's end. Any assistance would be much appreciated! Regards, Dave ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users