I am running BIND 9.18.11-3 on my ASUS router (armv7l, ASUSWRT-Merlin).
It is an authoritative server for my own domains and resolves DNS queries for hosts on my network.
My problem
These bom.gov.au records return SERVFAIL (no response):
- www.bom.gov.au
- weather.bom.gov.au
However, these bom.gov.au records return NOERROR (with a response):
- search.bom.gov.au
- satview.bom.gov.au
- media.bom.gov.au
- shop.bom.gov.au
All other domains are resolving correctly without error or fail.
This problem started occurring only about 1 week ago (26th April 2023). Prior to that the www
and weather
records were resolving correctly. During that time I made no changes to my bind config or zone files (last change was 8th March 2023, DKIM key update).
The weather
record is used by the BoM Android app which I use every day. This is how I first noticed the problem, the app reported "unable to find the weather". I then tried checking the weather on the BoM website (www
using Firefox on my desktop PC) but again it failed. I then manually checked DNS lookups on my router using dig and discovered this SERVFAIL issue.
Lookups of the www
and weather
records using dig +trace
or using public DNS servers (like @1.1.1.1
) return NOERROR and a response.
What I have tried
- disabling DNSSEC
- disabling blackhole
- enabling IPv6 responses (normally filtered out by my config)
- clearing bind cache
- restarting bind (cold restart)
None of the above made any difference to the result.
I have debug 10 logging turned on (results below) but it did not reveal the cause of the problem (at least not to me).
named-checkconf
returns 0 (zero)
The SERVFAIL
[655] root@router:~ # dig weather.bom.gov.au
; <<>> DiG 9.18.11 <<>> weather.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35769
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56004f0ced2814ac010000006450775eca9d6dc5e0cf4a81 (good)
;; QUESTION SECTION:
;weather.bom.gov.au. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:18 AEST 2023
;; MSG SIZE rcvd: 75
[656] root@router:~ # dig www.bom.gov.au
; <<>> DiG 9.18.11 <<>> www.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7a03ecf8730c7b270100000064507b32d860b9b9ae62d5c1 (good)
;; QUESTION SECTION:
;www.bom.gov.au. IN A
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:25 AEST 2023
;; MSG SIZE rcvd: 71
My Configuration
named.conf
Anything in <these>
is redacted data.
acl bastion {
<my public IP>;
};
acl router {
127.0.0.1; 192.168.9.1;
};
acl lan {
127.0.0.1; 192.168.9.0/24; 192.168.10.0/24; 192.168.11.0/24;
};
acl blacklist {
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.0.2.0/24; 224.0.0.0/3;
! 192.168.9.0/24; ! 192.168.10.0/24; ! 192.168.11.0/24; 192.168.0.0/16;
};
options {
directory "/opt/etc/bind";
version "No information";
hostname "bastion.<my_domain>.au";
auth-nxdomain no;
allow-transfer { none; };
blackhole { blacklist; };
listen-on { bastion; router; };
notify no;
listen-on-v6 { none; };
dnssec-validation auto;
};
logging {
channel file_dbug10 {
file "/opt/data/logs/bind.log" versions 3 size 10M;
print-category yes;
print-severity yes;
print-time yes;
severity debug 10;
};
channel syslog_info {
syslog daemon;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
channel syslog_warn {
syslog daemon;
print-category yes;
print-severity yes;
print-time yes;
severity warning;
};
category config { syslog_info; };
category default { syslog_info; };
category dnssec { syslog_warn; };
category general { syslog_info; };
category lame-servers { syslog_warn; };
category notify { syslog_info; };
# category queries { syslog_info; };
# category query-errors { file_dbug10; };
category resolver { syslog_warn; };
category security { syslog_info; };
category update { syslog_info; };
category xfer-in { syslog_info; };
category xfer-out { syslog_info; };
};
include "rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
view internal {
match-destinations { router; };
match-clients { lan; };
recursion yes;
allow-recursion { lan; };
plugin query "filter-aaaa.so" {
filter-aaaa-on-v4 yes;
};
include "named.conf.internal.<my_domain>.au";
include "named.conf.internal.<my_other_domain>.au";
include "named.conf.combined.localhost";
include "named.conf.combined.root.hint";
};
view external {
match-destinations { bastion; };
match-clients { any; };
recursion no;
plugin query "filter-aaaa.so" {
filter-aaaa-on-v4 yes;
};
include "named.conf.external.<my_domain>.au";
include "named.conf.external.<my_other_domain>.au";
include "named.conf.combined.localhost";
include "named.conf.combined.root.hint";
};
The remaining bind config files are all zone files for my domains (or localhost). I do not believe they relate to this problem but, if required, I can provide them (redacted).
BIND Log
Below is a cut-down log (lookup used cached results). The full BIND lookup log (from cold boot) is available here.
02-May-2023 10:29:26.906 client: debug 3: client @0x2c629eac 127.0.0.1#52995: UDP request
02-May-2023 10:29:26.906 client: debug 5: client @0x2c629eac 127.0.0.1#52995: view internal: using view 'internal'
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: request is not signed
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: recursion available
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query (cache) 'weather.bom.gov.au/A/IN' approved
02-May-2023 10:29:26.906 resolver: debug 1: fetch: weather.bom.gov.au/A
02-May-2023 10:29:26.906 resolver: debug 10: log_ns_ttl: fctx 0x2cd69128: fctx_create: weather.bom.gov.au (in 'weather.bom.gov.au'?): 1 124171
02-May-2023 10:29:26.906 resolver: debug 5: QNAME minimization - not minimized, qmintype 1 qminname weather.bom.gov.au
02-May-2023 10:29:26.906 database: debug 5: dns_adb_createfind: found A for name a24-66.akam.net (0x2c677490) in db
02-May-2023 10:29:26.906 resolver: debug 3: fctx 0x2cd69128(weather.bom.gov.au/A): createfind for 127.0.0.1#52995 - success
02-May-2023 10:29:26.906 database: debug 5: dns_adb_destroyfind on find 0x2c660288
02-May-2023 10:29:26.906 query-errors: debug 1: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query failed (SERVFAIL) for weather.bom.gov.au/IN/A at query.c:7775
02-May-2023 10:29:26.906 query-errors: debug 2: fetch completed at resolver.c:4173 for weather.bom.gov.au/A in 0.000000: SERVFAIL/success [domain:weather.bom.gov.au,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: reset client