[Pdns-users] SERVFAIL on all requests
bert hubert
bert.hubert at powerdns.com
Mon May 25 21:01:56 UTC 2020
On Mon, May 25, 2020 at 04:46:15PM -0400, Dave Burkholder via Pdns-users wrote:
> I did wonder too if there's an issue of reaching root servers, or firewall
> modifying responses, so I did try installing unbound on the same machine,
> and it's working fine. unbound on port 3053 always works, but pdns on
> port 2053 always FAIL.
Your network is faulty:
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] com: Trying IP 202.12.27.33:53, asking 'com|A'
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] com: Got 0 answers from m.root-servers.net (202.12.27.33), rcode=0 (No Error), aa=0, in 6ms
If it happens to work for unbound, well, good luck there. But as long as
someone is intercepting your traffic to the root servers and modifying it,
all bets are off.
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] reddit.com: Trying IP 192.58.128.30:53, asking 'reddit.com|A'
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] reddit.com: Got 4 answers from j.root-servers.net (192.58.128.30), rcode=0 (No Error), aa=0, in 62ms
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.1.140' in the answer section without the AA bit set received from .
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.193.140' in the answer section without the AA bit set received from .
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.65.140' in the answer section without the AA bit set received from .
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1] Removing record 'reddit.com|A|151.101.129.140' in the answer section without the AA bit set received from .
This is also a clear indication someone is intercepting and breaking your
traffic to root servers. The real J-root will not answer with IP addresses
for reddit.com.
Bert
>
> Regards,
>
> Dave
>
> On 5/25/20 4:04 PM, bert hubert wrote:
> >On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users wrote:
> >>When I enable trace, I get lines like:
> >>
> >>May 25 15:36:44 system.cdc.lan
pdns_recursor[16801]: [2] bing.com: Got 3 answers from b.root-servers.net (199.9.14.201), rcode=0 (No Error), aa=0, in 6ms
> >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record 'bing.com|A|204.79.197.200' in the answer section without the AA bit set received from .
> >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2] Removing record 'bing.com|A|13.107.21.200' in the answer section without the AA bit set received from .
> >Could you please send a complete output of trace? It appears someone is
> >intercepting and changing your DNS responses.
> >
> >Thanks!
> >
> > Bert
> >
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list