[opensuse] DNS/Bind9 - success resolving 'XXX' after reducing the advertised EDNS UDP packet size to 512 octets
All, This is more a general question about a rash of DNS resolution issues that seem to be on the increase on my ipv4 network lately. They basically have to do with Bind 9 trying to resolve names with EDNS (and I guess the default UDP package size of 4K) I don't handle ipv6 at all. In my named.conf I have: listen-on-v6 { none; }; But regardless, I end up with a slew of messages, e.g. error (network unreachable) resolving 'gateway.discord.gg/A/IN': 2001:630:0:9::14#53 success resolving 'gateway.discord.gg/A' (in 'discord.gg'?) after reducing the advertised EDNS UDP packet size to 512 octets I don't understand why I'm seeing the attempts to resolve the ipv6 address to begin with? However, the same issue seems to effect normal ipv4 addresses, even opensuse.org, e.g. Dec 30 22:03:48 nirvana named[15060]: success resolving 'www.opensuse.org/A' (in 'opensuse.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 30 22:03:54 nirvana named[15060]: success resolving 'nshou1.novell.com/A' (in 'novell.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 30 22:03:54 nirvana named[15060]: success resolving 'nshou1.novell.com/AAAA' (in 'novell.com'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 30 22:03:54 nirvana named[15060]: success resolving 'opensuse.org/A' (in 'opensuse.org'?) after reducing the advertised EDNS UDP packet size to 512 octets Dec 30 22:03:54 nirvana named[15060]: success resolving 'opensuse.org/AAAA' (in 'opensuse.org'?) after reducing the advertised EDNS UDP packet size to 512 octets From Bind9ARM, I have set the EDNS UDP packet size to 512, but I'm still having the problems. I have included: edns-udp-size 512; and I still do not eliminate the "success ... after reducing the advertised EDNS UDP packet size to 512 octets" messages that are logged. The EDNS resolution is working, but only for 512 octets (the related posts seem to indicate this is a problem largely to do with misconfigured load-balancing and failover configurations of the target machines. I don't recall seeing much of this before a month or two ago -- so I don't know if it is at all related to the DNS over http growing pains or what... Has anyone else run into this problem -- or have a solution? The time it takes for Bind to try from UDP size of 4096 (default) to 512 on some sites with 50 linked domains can be quite noticeable. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
David C. Rankin wrote:
I don't handle ipv6 at all. In my named.conf I have:
listen-on-v6 { none; };
But regardless, I end up with a slew of messages, e.g.
error (network unreachable) resolving 'gateway.discord.gg/A/IN': 2001:630:0:9::14#53
If your name server has IPv6, it will still use it for resolving, your config above will only stop it accepting queries over IPv6. I see gateway.discord.gg: janeway:~ # host gateway.discord.gg gateway.discord.gg has address 162.159.134.234 gateway.discord.gg has address 162.159.135.234 gateway.discord.gg has address 162.159.136.234 gateway.discord.gg has address 162.159.130.234 gateway.discord.gg has address 162.159.133.234 janeway:~ # host 2001:630:0:9::14 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.0.0.0.0.0.0.0.3.6.0.1.0.0.2.ip6.arpa domain name pointer ns0.ja.net.
success resolving 'gateway.discord.gg/A' (in 'discord.gg'?) after reducing the advertised EDNS UDP packet size to 512 octets
Possibly a firewall issue - firewall only accepting DNS packets sise 512? If you google that, there is plenty of hits, e.g. https://kb.isc.org/docs/aa-00708 (I don't know if that article is useful).
I don't understand why I'm seeing the attempts to resolve the ipv6 address to begin with?
If the domain you're doing a lookup on has nameservers with IPv6 addresses, and your name server too, they will be used. That is perfectly normal.
I don't recall seeing much of this before a month or two ago -- so I don't know if it is at all related to the DNS over http growing pains or what...
fwiw, I'm running bind 9.7.4-P1, and I'm not seeing those messages. I guess a newer version might show them. AFAIU, EDNS is about increasing the max bind packet size - are you implementing DNSSEC ? That is the only place I have come across EDNS. -- Per Jessen, Zürich (-0.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/12/2019 05.19, David C. Rankin wrote:
All,
This is more a general question about a rash of DNS resolution issues that seem to be on the increase on my ipv4 network lately. They basically have to do with Bind 9 trying to resolve names with EDNS (and I guess the default UDP package size of 4K)
Is this with Leap 15.1 or something else? I have: cer@Telcontar:~> rpm -q bind bind-9.11.2-lp151.11.6.1.x86_64 cer@Telcontar:~> What is EDNS? How do you test for this? I try: cer@Telcontar:~> host gateway.discord.gg gateway.discord.gg has address 162.159.134.234 gateway.discord.gg has address 162.159.130.234 gateway.discord.gg has address 162.159.135.234 gateway.discord.gg has address 162.159.136.234 gateway.discord.gg has address 162.159.133.234 cer@Telcontar:~> cer@Telcontar:~> time host gateway.discord.gg gateway.discord.gg has address 162.159.130.234 gateway.discord.gg has address 162.159.133.234 gateway.discord.gg has address 162.159.136.234 gateway.discord.gg has address 162.159.135.234 gateway.discord.gg has address 162.159.134.234 real 0m0,053s user 0m0,041s sys 0m0,000s cer@Telcontar:~> And I get nothing in "/var/log/named". - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgtJqQAKCRC1MxgcbY1H 1bhcAJ4oBTesopmferxfVmP/qor7oXWczACfRSSDB/nqw5gjb2OK6W0y/azCeYE= =61Tv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019/12/30 20:19, David C. Rankin wrote:
All,
edns-udp-size 512;
and I still do not eliminate the "success ... after reducing the advertised EDNS UDP packet size to 512 octets" messages that are logged. The EDNS resolution is working, but only for 512 octets (the related posts seem to indicate this is a problem largely to do with misconfigured load-balancing and failover configurations of the target machines.
I don't recall seeing much of this before a month or two ago -- so I don't know if it is at all related to the DNS over http growing pains or what...
---- DNS over http is just evil as is http over https (except for finacial/health sites, etc)..
Has anyone else run into this problem -- or have a solution? The time it takes for Bind to try from UDP size of 4096 (default) to 512 on some sites with 50 linked domains can be quite noticeable.
I had that problem back around 5 years ago -- some dns servers are just running with more conservative settings. Anyway, I include it in my bind setup...a file with entries like: server "cable.net.co" { edns-udp-size 512; }; server "catherineshefski.com" { edns-udp-size 512; }; server "chilan.com" { edns-udp-size 512; }; server "dehy.de" { edns-udp-size 512; }; server "dfwright.net" { edns-udp-size 512; }; Was going to automate it, but the static took care of most cases, so never bothered. But yeah -- that file is dated 2014 -- so it's been a problem for a while.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
L A Walsh wrote:
Has anyone else run into this problem -- or have a solution? The time it takes for Bind to try from UDP size of 4096 (default) to 512 on some sites with 50 linked domains can be quite noticeable.
I had that problem back around 5 years ago -- some dns servers are just running with more conservative settings.
Anyway, I include it in my bind setup...a file with entries like: server "cable.net.co" { edns-udp-size 512; }; server "catherineshefski.com" { edns-udp-size 512; }; server "chilan.com" { edns-udp-size 512; }; server "dehy.de" { edns-udp-size 512; }; server "dfwright.net" { edns-udp-size 512; };
Yeah, I came across that option too, but maintaining such a list seemed too much effort. Not that I can find anything to put in it :-)
Was going to automate it, but the static took care of most cases, so never bothered. But yeah -- that file is dated 2014 -- so it's been a problem for a while.
edns is quite old, one of the RFCs is from 98 or 99. -- Per Jessen, Zürich (2.8°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/02/2020 06:11 AM, Per Jessen wrote:
I had that problem back around 5 years ago -- some dns servers are just running with more conservative settings.
Anyway, I include it in my bind setup...a file with entries like: server "cable.net.co" { edns-udp-size 512; }; server "catherineshefski.com" { edns-udp-size 512; }; server "chilan.com" { edns-udp-size 512; }; server "dehy.de" { edns-udp-size 512; }; server "dfwright.net" { edns-udp-size 512; }; Yeah, I came across that option too, but maintaining such a list seemed too much effort. Not that I can find anything to put in it :-)
Was going to automate it, but the static took care of most cases, so never bothered. But yeah -- that file is dated 2014 -- so it's been a problem for a while.
An update. It seems this was caused by a piece of equipment replaced by my cable company. And it also seems as they squeeze out the experienced higher-paid technicians, those left over are quite incompetent to correctly configure the cable-equipment. There was a recent outage at our head-end and something got replaced to fix it. An whatever it was remained misconfigured for quite a while flooding our system with with ipv6. (it seemed like they flipped the prefer ipv4/ipv6 switch so our system was left trying to run on that traffic until it squawked enough to get an ipv4 resolution from the cable co. DNS servers) I don't pretend to understand in detail the what or how, and why it gave my DNS fits other than my box was having to work a whole lot harder to get an address resolved in a form it understood that it normally did. They must of paid the smart folks to come back in and bail them out, because things have settled back to normal on my end (with no changes from me). Though the upside was I was forced back into the Bind9ARM.pdf which I hadn't had to browse though in quite a while.... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Carlos E. R. -
David C. Rankin -
L A Walsh -
Per Jessen