Re: Determining case of REFUSED queries

2024-10-04 Thread tale via bind-users
On Thu, Oct 3, 2024 at 6:23 PM Lyle Giese via bind-users
 wrote:
> I get this:
> ; <<>> DiG 9.16.50-Debian <<>> ns socialinnovation.ca
>...
> socialinnovation.ca.3600IN  NS  dns.rebel.ca.
> socialinnovation.ca.3600IN  NS  sean.ns.cloudflare.com.
> socialinnovation.ca.3600IN  NS  kami.ns.cloudflare.com.
> socialinnovation.ca.3600IN  NS  dns2.rebel.ca.
>...>
> But a whois query for this domain only lists dns.rebel.ca and dns2.rebel.ca 
> for name servers.

The Cloudflare NSs are coming from the apex NS RRset as returned by rebel.ca.

> Wonder if the cloudflare server are not getting a good axfr from the rebel.ca 
> servers or something else is wrong.

REFUSED would tend to indicate that Cloudflare is just not configured
for the zone at all.
-- 
tale
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Determining case of REFUSED queries

2024-10-03 Thread Lyle Giese via bind-users

173.245.59.231 is a cloudflare name server.

I get this:

dig ns socialinnovation.ca

; <<>> DiG 9.16.50-Debian <<>> ns socialinnovation.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29081
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bc6332beb03bea8e010066ff17e01aa70cbb6939d99f (good)
;; QUESTION SECTION:
;socialinnovation.ca.   IN  NS

;; ANSWER SECTION:
socialinnovation.ca.    3600    IN  NS  dns.rebel.ca.
socialinnovation.ca.    3600    IN  NS  sean.ns.cloudflare.com.
socialinnovation.ca.    3600    IN  NS  kami.ns.cloudflare.com.
socialinnovation.ca.    3600    IN  NS  dns2.rebel.ca.

;; ADDITIONAL SECTION:
dns.rebel.ca.   86400   IN  A   52.3.166.104
dns2.rebel.ca.  86400   IN  A   52.10.144.165
sean.ns.cloudflare.com. 54981   IN  A   108.162.193.231
sean.ns.cloudflare.com. 54981   IN  A   172.64.33.231
sean.ns.cloudflare.com. 54981   IN  A   173.245.59.231
sean.ns.cloudflare.com. 54981   IN      2606:4700:58::adf5:3be7
sean.ns.cloudflare.com. 54981   IN      2803:f800:50::6ca2:c1e7
sean.ns.cloudflare.com. 54981   IN      2a06:98c1:50::ac40:21e7

;; Query time: 156 msec
;; SERVER: 192.168.250.1#53(192.168.250.1)
;; WHEN: Thu Oct 03 17:17:04 CDT 2024
;; MSG SIZE  rcvd: 340

But a whois query for this domain only lists dns.rebel.ca and 
dns2.rebel.ca for name servers.


Wonder if the cloudflare server are not getting a good axfr from the 
rebel.ca servers or something else is wrong.


Lyle Giese


On 10/3/24 16:31, J Doe wrote:

On 2024-09-19 19:17, Mark Andrews wrote:

I think the reason for the REFUSED is pretty obvious

% dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt

; <<>> DiG 9.21.0-dev <<>> +norec 
google._domainkey.socialinnovation.ca @173.245.59.231 txt

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 20 (Not Authoritative)
;; QUESTION SECTION:
;google._domainkey.socialinnovation.ca. IN TXT

;; Query time: 14 msec
;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP)
;; WHEN: Fri Sep 20 09:03:48 AEST 2024
;; MSG SIZE  rcvd: 72

%

Now you just need to work out why you where asking 173.245.59.231
rather than the actual nameservers for socialinnovation.ca.

socialinnovation.ca. 86400 IN NS dns.rebel.ca.
socialinnovation.ca. 86400 IN NS dns2.rebel.ca.
dns2.rebel.ca. 86400 IN A 52.10.144.165
dns.rebel.ca. 86400 IN A 52.3.166.104



Hi Mark,

Interesting!

The only thing I can think of that may be causing this issue is that
this e-mail server makes use of SpamAssassin 4.0.0, which would be doing
lookups for DKIM, DMARC.

Has anyone noticed anything similar ?  It only seems to happen with the
socialinnovation.ca domain.

Thanks,

- J

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Determining case of REFUSED queries

2024-10-03 Thread J Doe

On 2024-09-19 19:17, Mark Andrews wrote:

I think the reason for the REFUSED is pretty obvious

% dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt

; <<>> DiG 9.21.0-dev <<>> +norec google._domainkey.socialinnovation.ca 
@173.245.59.231 txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 20 (Not Authoritative)
;; QUESTION SECTION:
;google._domainkey.socialinnovation.ca. IN TXT

;; Query time: 14 msec
;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP)
;; WHEN: Fri Sep 20 09:03:48 AEST 2024
;; MSG SIZE  rcvd: 72

%

Now you just need to work out why you where asking 173.245.59.231
rather than the actual nameservers for socialinnovation.ca.

socialinnovation.ca. 86400 IN NS dns.rebel.ca.
socialinnovation.ca. 86400 IN NS dns2.rebel.ca.
dns2.rebel.ca. 86400 IN A 52.10.144.165
dns.rebel.ca. 86400 IN A 52.3.166.104



Hi Mark,

Interesting!

The only thing I can think of that may be causing this issue is that
this e-mail server makes use of SpamAssassin 4.0.0, which would be doing
lookups for DKIM, DMARC.

Has anyone noticed anything similar ?  It only seems to happen with the
socialinnovation.ca domain.

Thanks,

- J


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Determining case of REFUSED queries

2024-09-19 Thread Mark Andrews
I think the reason for the REFUSED is pretty obvious

% dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt

; <<>> DiG 9.21.0-dev <<>> +norec google._domainkey.socialinnovation.ca 
@173.245.59.231 txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 20 (Not Authoritative)
;; QUESTION SECTION:
;google._domainkey.socialinnovation.ca. IN TXT

;; Query time: 14 msec
;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP)
;; WHEN: Fri Sep 20 09:03:48 AEST 2024
;; MSG SIZE  rcvd: 72

% 

Now you just need to work out why you where asking 173.245.59.231
rather than the actual nameservers for socialinnovation.ca.

socialinnovation.ca. 86400 IN NS dns.rebel.ca.
socialinnovation.ca. 86400 IN NS dns2.rebel.ca.
dns2.rebel.ca. 86400 IN A 52.10.144.165
dns.rebel.ca. 86400 IN A 52.3.166.104


> On 20 Sep 2024, at 08:48, J Doe  wrote:
> 
> Hi list,
> 
> I have BIND 9.18.29 validating recursive resolver running on OpenBSD
> 7.5.  This resolver performs resolution for a mail server.
> 
> Sometimes in my logs I will see the following:
> 
>17-Sep-2024 16:21:41.562 lame-servers: info: REFUSED unexpected
>  RCODE resolving 'google._domainkey.socialinnovation.ca/TXT/IN':
>  173.245.59.231#53
> 
> ... but if I manually resolve the address with: dig against the resolver
> on the command line of the mail server, no errors are recorded.
> 
> I'd like to determine why sometimes I receive this error.  I currently
> have logging for this category of errors set to: severity info.  Should
> I increase this or are there other ways to determine why resolution is
> sometimes REFUSED ?
> 
> Thanks,
> 
> - J
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users