2

I have a 3 dns servers on bind 9.9.4 (RHEL7), configured as 1 master and 2 slaves. Today I found that requesting the domain "desktop.telegram.org" cause SERVFAIL on all of this servers . Requesting other domains still work.

# dig @127.0.0.1 desktop.telegram.org +trace

work fine.

Some debug output below:

# rndc trace 9
# grep '127.0.0.1' /var/named/data/named.run
31-May-2017 15:41:25.683 client 127.0.0.1#56542: UDP request
31-May-2017 15:41:25.684 client 127.0.0.1#56542: using view '_default'
31-May-2017 15:41:25.684 client 127.0.0.1#56542: request is not signed
31-May-2017 15:41:25.684 client 127.0.0.1#56542: recursion available
31-May-2017 15:41:25.684 client 127.0.0.1#56542: query
31-May-2017 15:41:25.684 client 127.0.0.1#56542 (desktop.telegram.org): query (cache) 'desktop.telegram.org/A/IN' approved
31-May-2017 15:41:25.684 client 127.0.0.1#56542 (desktop.telegram.org): replace
31-May-2017 15:41:30.684 client 127.0.0.1#56542: UDP request
31-May-2017 15:41:30.684 client 127.0.0.1#56542: using view '_default'
31-May-2017 15:41:30.684 client 127.0.0.1#56542: request is not signed
31-May-2017 15:41:30.684 client 127.0.0.1#56542: recursion available
31-May-2017 15:41:30.684 client 127.0.0.1#56542: query
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): query (cache) 'desktop.telegram.org/A/IN' approved
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): replace
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): next
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): request failed: duplicate query
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): endrequest
31-May-2017 15:41:35.684 client 127.0.0.1#56542: UDP request
31-May-2017 15:41:35.684 client 127.0.0.1#56542: using view '_default'
31-May-2017 15:41:35.684 client 127.0.0.1#56542: request is not signed
31-May-2017 15:41:35.684 client 127.0.0.1#56542: recursion available
31-May-2017 15:41:35.684 client 127.0.0.1#56542: query
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): query (cache) 'desktop.telegram.org/A/IN' approved
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): replace
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): next
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): request failed: duplicate query
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): endrequest
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): query failed (SERVFAIL) for desktop.telegram.org/IN/A at query.c:7003
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): error
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): send
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): sendto
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): senddone
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): next
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): endrequest

named.conf:

options {
listen-on port 53 { any; };
directory       "/var/named";
dump-file       "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { any; };
version         "none";
allow-recursion{ 127.0.0.1; my.internal.dns.server.ip1; my.internal.dns.server.ip2; };
dnssec-enable yes;
dnssec-validation auto;
notify no;
allow-transfer { none; };
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
                print-time yes;
        };
};
include "/etc/rndc.key";
controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
zone "." IN {
        type hint;
        file "/var/named/named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "mydomain.com" {
        type slave;
        file "mydomain.com";
        masters { master.server.ip; };
        };

zone ... (my domains)

UPD: After the demon restart, the problem went away. I did not reboot the daemon on one of the servers to reproduce the problem if necessary.

Alexey Reytsman
  • 136
  • 5
  • 2
    Not related but : 1) do not use DLV anymore, it is deprecated 2) it is considered very bad practice to mix authoritative and recursive nameserver role in the same setup, think about separating them. – Patrick Mevzek Jun 02 '17 at 19:35
  • Does `dig @127.0.0.1 desktop.telegram.org +cd` work? – Patrick Mevzek Jun 02 '17 at 19:38
  • @PatrickMevzek, today I found out that after the weekend the DNS server which I didn't reboot can resolve the desktop.telegram.org properly. So, unfortunately, the exact cause of the problem became impossible to find out. – Alexey Reytsman Jun 05 '17 at 10:03

0 Answers0