SERVFAIL error during the evening

2024-06-13 Thread sami . rahal 
Hello community,

We are experiencing a resolution problem: 'SERVFAIL error'. Our environment is 
BIND 9.16.48, OS: Redhat8. I am sharing with you a part of the log that 
contains this error, named.conf file.

What I've noticed is that the resolution problem is mainly related to domain 
names that contain a CNAME record in the response, such as 
'account.api.here.com' and 'push-rtmp-l96.douyincdn.com'

P.S. DNSSEC is temporarily disabled to facilitate the diagnosis of the issue.


Regards

Orange Restricted

+++ Statistics Dump +++ (1670610522)
++ Incoming Requests ++
   94682 QUERY
   1 STATUS
++ Incoming Queries ++
   90027 A
   1 NS
   1 CNAME
   1 SOA
   1 WKS
 323 PTR
   1 HINFO
  27 TXT
2650 
  91 SRV
  82 NAPTR
   9 TYPE64
1451 TYPE65
++ Outgoing Rcodes ++
   89846 NOERROR
 142 SERVFAIL
4268 NXDOMAIN
++ Outgoing Queries ++
[View: mobile]
   22280 A
  14 NS
  26 CNAME
   1 SOA
   1 WKS
  97 PTR
   1 HINFO
  11 TXT
7390 
  19 SRV
  14 NAPTR
   1 TYPE64
1021 TYPE65
[View: defaut]
[View: _bind]
++ Name Server Statistics ++
   94685 IPv4 requests received
  25 requests with EDNS(0) received
  25 TCP requests received
   8 TCP connection high-water
   94256 responses sent
  49 truncated responses sent
  25 responses with EDNS(0) sent
   88189 queries resulted in successful answer
 424 queries resulted in authoritative answer
   93670 queries resulted in non authoritative answer
   2 queries resulted in referral answer
1635 queries resulted in nxrrset
 142 queries resulted in SERVFAIL
4268 queries resulted in NXDOMAIN
9327 queries caused recursion
 293 duplicate queries received
  64 queries dropped
  73 recursing clients
 194 response policy zone rewrites
   94588 UDP queries received
  25 TCP queries received
   1 COOKIE option received
   1 COOKIE - client only
++ Zone Maintenance Statistics ++
++ Resolver Statistics ++
[Common]
../var/log/named.stats
20-May-2024 17:49:00.463 query-errors: info: client @0x7f883402a870 
10.88.202.136#24064 (account.api.here.com): view mobile: query failed 
(SERVFAIL) for account.api.here.com/IN/A at query.c:7294
20-May-2024 17:49:00.464 query-errors: info: client @0x7f88b805ecd0 
10.176.108.141#51399 (www.facebook.com): view mobile: query failed (SERVFAIL) 
for www.facebook.com/IN/A at query.c:7294
20-May-2024 17:49:00.467 query-errors: info: client @0x7f8848072050 
10.134.204.116#22143 (youtubei.googleapis.com): view mobile: query failed 
(SERVFAIL) for youtubei.googleapis.com/IN/A at query.c:7294
20-May-2024 17:49:00.471 query-errors: info: client @0x7f8800061e10 
10.88.180.148#19837 (developers.google.cn): view mobile: query failed 
(SERVFAIL) for developers.google.cn/IN/A at query.c:7294
20-May-2024 17:49:00.474 query-errors: info: client @0x7f88f8081aa0 
10.134.43.29#19387 (netseer-ipaddr-assoc.xz.fbcdn.net): view mobile: query 
failed (failure) for netseer-ipaddr-assoc.xz.fbcdn.net/IN/A at query.c:8050
20-May-2024 17:49:00.475 query-errors: info: client @0x7f8828027430 
10.134.91.124#2620 (edge-mqtt.facebook.com): view mobile: query failed 
(SERVFAIL) for edge-mqtt.facebook.com/IN/A at query.c:7294
20-May-2024 17:49:00.475 query-errors: info: client @0x7f88e8064320 
10.116.224.79#12555 (af.ec922003.com): view mobile: query failed (SERVFAIL) for 
af.ec922003.com/IN/A at query.c:7294
20-May-2024 17:49:00.477 query-errors: info: client @0x7f88d40506a0 
10.88.148.114#32830 (youtubei.googleapis.com): view mobile: query failed 
(SERVFAIL) for youtubei.googleapis.com/IN/A at query.c:7294
20-May-2024 17:49:00.479 query-errors: info: client @0x7f87fc0271c0 
10.88.176.105#1579 (www.pullcm.com): view mobile: query failed (SERVFAIL) for 
www.pullcm.com/IN/A at query.c:7294
20-May-2024 17:49:00.485 query-errors: info: client @0x7f87e8068f60 
10.134.28.232#56091 (googleads.g.doubleclick.net): view mobile: query failed 
(SERVFAIL) for googleads.g.doubleclick.net/IN/A at query.c:7294
20-May-2024 17:49:00.488 query-errors: info: client @0x7f88d40506a0 
10.134.227.176#24591 (www.google.cd): view mobile: query failed (SERVFAIL) for 
www.google.cd/IN/A at query.c:7294
20-May-2024 17:49:00.495 query-errors: info: client @0x7f88f8081aa0 
10.176.111.173#60640 (www.mor

Information about dnsrps, fastRPZ and similar modules

2024-06-13 Thread Jesus Cea 
Investigating about non trivial RPZ configurations, I noticed a huge 
block on bind 9.12 to provide DNSRPS, an API for external RPZ providers. 
Nevertheless, the code is complicated and there is no documentation. 
Checking around I only found a RPZ module provided by the same people 
people that implemented the api: FastRPZ. That module is not open source.


I wrote to the company, but it was bought by another one and the 
original email address is bouncing. According to this recently archived 
webpage (a year ago) 
, 
I saw this:


"""
If you have a current BIND Support Subscription, you may be eligible to 
get FastRPZ free of charge. Please contact ISC Support to request access 
to FastRPZ.

"""

Any information? Any alternative?

Any other module using DNSRPS?. Any documentation at all?

Thanks.

PS: Apparently the configuration of this mailing list is not compatible 
with DMARC. Please, configure the mailing list to be compatible. You are 
using mailman, I manage several mailman mailing lists myself. In the 
administrative interface, go to "privacy options -> sender filters" and 
check out DMARC options. Most of mailing list admins set it to "Munge from".


--
Jesús Cea Avión _/_/  _/_/_/_/_/_/
j...@jcea.es - https://www.jcea.es/_/_/_/_/  _/_/_/_/  _/_/
Twitter: @jcea_/_/_/_/  _/_/_/_/_/
jabber / xmpp:j...@jabber.org  _/_/  _/_/_/_/  _/_/  _/_/
"Things are not so easy"  _/_/  _/_/_/_/  _/_/_/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/_/_/_/  _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about ISC BIND COPR repositories for 9.16->9.18 ESV transition

2024-06-13 Thread Sebby, Brian A. via bind-users 
We’ve been using the ISC BIND 9 COPR repositories at 
https://copr.fedorainfracloud.org/coprs/isc/ for a few years now, but I had a 
question – is there a planned date to update the “bind-esv” channel to provide 
BIND 9.18 rather than BIND 9.16?  Since 9.16 is now EOL we’ve switched to using 
the stable channel to get 9.18, but I just want to make sure that we switch 
back to the ESV channel once it provides 9.18 so we don’t accidentally switch 
to a new version once 9.20 becomes the new stable release.

(And I do want to say thanks to ISC for providing that repo – I spent years 
having to compile BIND myself on Solaris, and it’s so much nicer to just 
install it from packages on Linux. 😊 )


Thanks,

Brian

--
Brian Sebby (he/him/his)  |  Lead Systems Engineer
Email: se...@anl.gov  |  Information Technology 
Infrastructure
Phone: +1 630.252.9935|  Business Information Services
Cell:  +1 630.921.4305|  Argonne National Laboratory
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL error during the evening

2024-06-13 Thread Mark Andrews 
Before you do anything else change your rndc shared key as you published it.

> On 14 Jun 2024, at 01:00, sami.ra...@sofrecom.com wrote:
> 
> Hello community,
>  We are experiencing a resolution problem: 'SERVFAIL error'. Our environment 
> is BIND 9.16.48, OS: Redhat8. I am sharing with you a part of the log that 
> contains this error, named.conf file.
>  What I've noticed is that the resolution problem is mainly related to domain 
> names that contain a CNAME record in the response, such as 
> 'account.api.here.com' and 'push-rtmp-l96.douyincdn.com'
>  P.S. DNSSEC is temporarily disabled to facilitate the diagnosis of the issue.
>   Regards  Orange Restricted
>  -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SERVFAIL error during the evening

2024-06-13 Thread Michael Batchelder 
Sami, 

After you regenerate your rndc key as Mark advised, you will need to provide us 
with more information, as what you've sent is not sufficient to troubleshoot 
your symptom. As a first step, take a packet capture on the resolver that shows 
incoming queries from the client and the corresponding outgoing queries from 
the resolver to upstream servers. When you capture packets, do not filter out 
TCP or ICMP or ARP. A tcpdump filter such as 'icmp or arp or port 53' should be 
sufficient. I would capture on all interfaces of the server (-i any). 

Send that capture file along with the BIND log segment which contains the 
failed queries. 

Michael Batchelder 
ISC Support 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users