0

I am running BIND 9.18.11-3 on my ASUS router (armv7l, ASUSWRT-Merlin).
It is an authoritative server for my own domains and resolves DNS queries for hosts on my network.

My problem

These bom.gov.au records return SERVFAIL (no response):

However, these bom.gov.au records return NOERROR (with a response):

  • search.bom.gov.au
  • satview.bom.gov.au
  • media.bom.gov.au
  • shop.bom.gov.au

All other domains are resolving correctly without error or fail.

This problem started occurring only about 1 week ago (26th April 2023). Prior to that the www and weather records were resolving correctly. During that time I made no changes to my bind config or zone files (last change was 8th March 2023, DKIM key update).

The weather record is used by the BoM Android app which I use every day. This is how I first noticed the problem, the app reported "unable to find the weather". I then tried checking the weather on the BoM website (www using Firefox on my desktop PC) but again it failed. I then manually checked DNS lookups on my router using dig and discovered this SERVFAIL issue.

Lookups of the www and weather records using dig +trace or using public DNS servers (like @1.1.1.1) return NOERROR and a response.

What I have tried

  • disabling DNSSEC
  • disabling blackhole
  • enabling IPv6 responses (normally filtered out by my config)
  • clearing bind cache
  • restarting bind (cold restart)

None of the above made any difference to the result.

I have debug 10 logging turned on (results below) but it did not reveal the cause of the problem (at least not to me).

named-checkconf returns 0 (zero)

The SERVFAIL

[655] root@router:~ # dig weather.bom.gov.au

; <<>> DiG 9.18.11 <<>> weather.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35769
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56004f0ced2814ac010000006450775eca9d6dc5e0cf4a81 (good)
;; QUESTION SECTION:
;weather.bom.gov.au.            IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:18 AEST 2023
;; MSG SIZE  rcvd: 75

[656] root@router:~ # dig www.bom.gov.au

; <<>> DiG 9.18.11 <<>> www.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7a03ecf8730c7b270100000064507b32d860b9b9ae62d5c1 (good)
;; QUESTION SECTION:
;www.bom.gov.au.                        IN      A

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:25 AEST 2023
;; MSG SIZE  rcvd: 71

My Configuration

named.conf

Anything in <these> is redacted data.

acl bastion {
        <my public IP>;
};

acl router {
        127.0.0.1; 192.168.9.1;
};

acl lan {
        127.0.0.1; 192.168.9.0/24; 192.168.10.0/24; 192.168.11.0/24;
};

acl blacklist {
        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.0.2.0/24; 224.0.0.0/3;
        ! 192.168.9.0/24; ! 192.168.10.0/24; ! 192.168.11.0/24; 192.168.0.0/16;
};

options {
        directory               "/opt/etc/bind";
        version                 "No information";
        hostname                "bastion.<my_domain>.au";

        auth-nxdomain           no;

        allow-transfer          { none; };
        blackhole               { blacklist; };
        listen-on               { bastion; router; };
        notify                  no;

        listen-on-v6            { none; };

        dnssec-validation       auto;
};

logging {

        channel file_dbug10 {
                file            "/opt/data/logs/bind.log" versions 3 size 10M;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        debug 10;
        };

        channel syslog_info {
                syslog          daemon;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        info;
        };

        channel syslog_warn {
                syslog          daemon;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        warning;
        };

        category config         { syslog_info; };
        category default        { syslog_info; };
        category dnssec         { syslog_warn; };
        category general        { syslog_info; };
        category lame-servers   { syslog_warn; };
        category notify         { syslog_info; };
#       category queries        { syslog_info; };
#       category query-errors   { file_dbug10; };
        category resolver       { syslog_warn; };
        category security       { syslog_info; };
        category update         { syslog_info; };
        category xfer-in        { syslog_info; };
        category xfer-out       { syslog_info; };
};

include "rndc.key";

controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

view internal {

        match-destinations      { router; };
        match-clients           { lan; };

        recursion               yes;
        allow-recursion         { lan; };

        plugin query "filter-aaaa.so" {
                filter-aaaa-on-v4        yes;
        };

        include "named.conf.internal.<my_domain>.au";
        include "named.conf.internal.<my_other_domain>.au";
        include "named.conf.combined.localhost";
        include "named.conf.combined.root.hint";
};

view external {

        match-destinations      { bastion; };
        match-clients           { any; };

        recursion               no;

        plugin query "filter-aaaa.so" {
                filter-aaaa-on-v4        yes;
        };

        include "named.conf.external.<my_domain>.au";
        include "named.conf.external.<my_other_domain>.au";
        include "named.conf.combined.localhost";
        include "named.conf.combined.root.hint";
};

The remaining bind config files are all zone files for my domains (or localhost). I do not believe they relate to this problem but, if required, I can provide them (redacted).

BIND Log

Below is a cut-down log (lookup used cached results). The full BIND lookup log (from cold boot) is available here.

02-May-2023 10:29:26.906 client: debug 3: client @0x2c629eac 127.0.0.1#52995: UDP request
02-May-2023 10:29:26.906 client: debug 5: client @0x2c629eac 127.0.0.1#52995: view internal: using view 'internal'
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: request is not signed
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: recursion available
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query (cache) 'weather.bom.gov.au/A/IN' approved
02-May-2023 10:29:26.906 resolver: debug 1: fetch: weather.bom.gov.au/A
02-May-2023 10:29:26.906 resolver: debug 10: log_ns_ttl: fctx 0x2cd69128: fctx_create: weather.bom.gov.au (in 'weather.bom.gov.au'?): 1 124171
02-May-2023 10:29:26.906 resolver: debug 5: QNAME minimization - not minimized, qmintype 1 qminname weather.bom.gov.au
02-May-2023 10:29:26.906 database: debug 5: dns_adb_createfind: found A for name a24-66.akam.net (0x2c677490) in db
02-May-2023 10:29:26.906 resolver: debug 3: fctx 0x2cd69128(weather.bom.gov.au/A): createfind for 127.0.0.1#52995 - success
02-May-2023 10:29:26.906 database: debug 5: dns_adb_destroyfind on find 0x2c660288
02-May-2023 10:29:26.906 query-errors: debug 1: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query failed (SERVFAIL) for weather.bom.gov.au/IN/A at query.c:7775
02-May-2023 10:29:26.906 query-errors: debug 2: fetch completed at resolver.c:4173 for weather.bom.gov.au/A in 0.000000: SERVFAIL/success [domain:weather.bom.gov.au,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: reset client
Improve this question

1 Answer 1

Reset to default
1

One of the authoritative nameservers for www.bom.gov.au is a24-66.akam.net.

a24-66.akam.net has IPv4 address 2.16.130.66.

However your BIND configuration blackholes 2.0.0.0/8.

Improve this answer
4
  • Brilliant! Thank you! I added !2.16.130.66; to my blacklist acl and the problem is resolved.
    – protogen
    Commented Aug 24, 2023 at 20:50
  • It seems so obvious now but I did not think of checking this. How did you discover/check it? I had to write a short bit of code for H in $(nslookup -type=ns www.bom.gov.au 1.1.1.1 | awk '/nameserver/ {print $4}'); do echo -n "$H "; nslookup -type=a $H 1.1.1.1 | awk '/^Address: [0-9]/ {print $2}'; done. Is there a quicker/easier way?
    – protogen
    Commented Aug 24, 2023 at 20:52
  • 1
    I had the same problem to deal with on an inherited nameserver and remembered that in 2009 1.0.0.0/8 and 2.0.0.0/8 were reassigned for public use. See link
    – Con Tassios
    Commented Aug 25, 2023 at 0:23
  • Thank you for the link. I was not aware of the reassignment. My BIND config and zones were originally created in the late 90's (hence the inclusion of 1.0.0.0/8 and 2.0.0.0/8). I'll consider removing them from my blacklist acl.
    – protogen
    Commented Aug 25, 2023 at 4:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .