Re: Determining case of REFUSED queries
On Thu, Oct 3, 2024 at 6:23 PM Lyle Giese via bind-users wrote: > I get this: > ; <<>> DiG 9.16.50-Debian <<>> ns socialinnovation.ca >... > socialinnovation.ca.3600IN NS dns.rebel.ca. > socialinnovation.ca.3600IN NS sean.ns.cloudflare.com. > socialinnovation.ca.3600IN NS kami.ns.cloudflare.com. > socialinnovation.ca.3600IN NS dns2.rebel.ca. >...> > But a whois query for this domain only lists dns.rebel.ca and dns2.rebel.ca > for name servers. The Cloudflare NSs are coming from the apex NS RRset as returned by rebel.ca. > Wonder if the cloudflare server are not getting a good axfr from the rebel.ca > servers or something else is wrong. REFUSED would tend to indicate that Cloudflare is just not configured for the zone at all. -- tale -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining case of REFUSED queries
173.245.59.231 is a cloudflare name server. I get this: dig ns socialinnovation.ca ; <<>> DiG 9.16.50-Debian <<>> ns socialinnovation.ca ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29081 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: bc6332beb03bea8e010066ff17e01aa70cbb6939d99f (good) ;; QUESTION SECTION: ;socialinnovation.ca. IN NS ;; ANSWER SECTION: socialinnovation.ca. 3600 IN NS dns.rebel.ca. socialinnovation.ca. 3600 IN NS sean.ns.cloudflare.com. socialinnovation.ca. 3600 IN NS kami.ns.cloudflare.com. socialinnovation.ca. 3600 IN NS dns2.rebel.ca. ;; ADDITIONAL SECTION: dns.rebel.ca. 86400 IN A 52.3.166.104 dns2.rebel.ca. 86400 IN A 52.10.144.165 sean.ns.cloudflare.com. 54981 IN A 108.162.193.231 sean.ns.cloudflare.com. 54981 IN A 172.64.33.231 sean.ns.cloudflare.com. 54981 IN A 173.245.59.231 sean.ns.cloudflare.com. 54981 IN 2606:4700:58::adf5:3be7 sean.ns.cloudflare.com. 54981 IN 2803:f800:50::6ca2:c1e7 sean.ns.cloudflare.com. 54981 IN 2a06:98c1:50::ac40:21e7 ;; Query time: 156 msec ;; SERVER: 192.168.250.1#53(192.168.250.1) ;; WHEN: Thu Oct 03 17:17:04 CDT 2024 ;; MSG SIZE rcvd: 340 But a whois query for this domain only lists dns.rebel.ca and dns2.rebel.ca for name servers. Wonder if the cloudflare server are not getting a good axfr from the rebel.ca servers or something else is wrong. Lyle Giese On 10/3/24 16:31, J Doe wrote: On 2024-09-19 19:17, Mark Andrews wrote: I think the reason for the REFUSED is pretty obvious % dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt ; <<>> DiG 9.21.0-dev <<>> +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; EDE: 20 (Not Authoritative) ;; QUESTION SECTION: ;google._domainkey.socialinnovation.ca. IN TXT ;; Query time: 14 msec ;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP) ;; WHEN: Fri Sep 20 09:03:48 AEST 2024 ;; MSG SIZE rcvd: 72 % Now you just need to work out why you where asking 173.245.59.231 rather than the actual nameservers for socialinnovation.ca. socialinnovation.ca. 86400 IN NS dns.rebel.ca. socialinnovation.ca. 86400 IN NS dns2.rebel.ca. dns2.rebel.ca. 86400 IN A 52.10.144.165 dns.rebel.ca. 86400 IN A 52.3.166.104 Hi Mark, Interesting! The only thing I can think of that may be causing this issue is that this e-mail server makes use of SpamAssassin 4.0.0, which would be doing lookups for DKIM, DMARC. Has anyone noticed anything similar ? It only seems to happen with the socialinnovation.ca domain. Thanks, - J -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining case of REFUSED queries
On 2024-09-19 19:17, Mark Andrews wrote: I think the reason for the REFUSED is pretty obvious % dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt ; <<>> DiG 9.21.0-dev <<>> +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; EDE: 20 (Not Authoritative) ;; QUESTION SECTION: ;google._domainkey.socialinnovation.ca. IN TXT ;; Query time: 14 msec ;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP) ;; WHEN: Fri Sep 20 09:03:48 AEST 2024 ;; MSG SIZE rcvd: 72 % Now you just need to work out why you where asking 173.245.59.231 rather than the actual nameservers for socialinnovation.ca. socialinnovation.ca. 86400 IN NS dns.rebel.ca. socialinnovation.ca. 86400 IN NS dns2.rebel.ca. dns2.rebel.ca. 86400 IN A 52.10.144.165 dns.rebel.ca. 86400 IN A 52.3.166.104 Hi Mark, Interesting! The only thing I can think of that may be causing this issue is that this e-mail server makes use of SpamAssassin 4.0.0, which would be doing lookups for DKIM, DMARC. Has anyone noticed anything similar ? It only seems to happen with the socialinnovation.ca domain. Thanks, - J -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining case of REFUSED queries
I think the reason for the REFUSED is pretty obvious % dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt ; <<>> DiG 9.21.0-dev <<>> +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; EDE: 20 (Not Authoritative) ;; QUESTION SECTION: ;google._domainkey.socialinnovation.ca. IN TXT ;; Query time: 14 msec ;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP) ;; WHEN: Fri Sep 20 09:03:48 AEST 2024 ;; MSG SIZE rcvd: 72 % Now you just need to work out why you where asking 173.245.59.231 rather than the actual nameservers for socialinnovation.ca. socialinnovation.ca. 86400 IN NS dns.rebel.ca. socialinnovation.ca. 86400 IN NS dns2.rebel.ca. dns2.rebel.ca. 86400 IN A 52.10.144.165 dns.rebel.ca. 86400 IN A 52.3.166.104 > On 20 Sep 2024, at 08:48, J Doe wrote: > > Hi list, > > I have BIND 9.18.29 validating recursive resolver running on OpenBSD > 7.5. This resolver performs resolution for a mail server. > > Sometimes in my logs I will see the following: > >17-Sep-2024 16:21:41.562 lame-servers: info: REFUSED unexpected > RCODE resolving 'google._domainkey.socialinnovation.ca/TXT/IN': > 173.245.59.231#53 > > ... but if I manually resolve the address with: dig against the resolver > on the command line of the mail server, no errors are recorded. > > I'd like to determine why sometimes I receive this error. I currently > have logging for this category of errors set to: severity info. Should > I increase this or are there other ways to determine why resolution is > sometimes REFUSED ? > > Thanks, > > - J > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users