Tuesday, December 27, 2011

FORMERR in Bind

Recently I was configuring Bind 9 on Centos 6.2. The setup was pretty straight forward: caching name server with one authoritative local domain. But the problem was that it was resolving my local authoritative domain but getting SERVFAIL for all external queries! I tried using forwardars, forward only, forward first but nothing helped. "dig @127.0.0.1 yahoo.com" was giving a SERVFAIL and "dig @192.168.1.1 yahoo.com" was working fine.

This problem almost made me crazy and was about to give up on bind until I found the problem. I tried every thing: I was configuring bind on a KVM VM, I thought may be its the Bridge or the KVM's internal network bug. I tried bind on a physical machine, but the problem was same! I tried it on Fedora 14, same problem! Next I tried it on different versions of bind, but the error was the exact same!

Here are the errors I was getting in the named.run logs:

DNS format error from 128.63.2.53#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 128.63.2.53#53
DNS format error from 202.12.27.33#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 202.12.27.33#53
DNS format error from 192.5.5.241#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.5.5.241#53
DNS format error from 192.36.148.17#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.36.148.17#53
DNS format error from 128.8.10.90#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 128.8.10.90#53
DNS format error from 193.0.14.129#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 193.0.14.129#53
DNS format error from 192.112.36.4#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.112.36.4#53
DNS format error from 199.7.83.42#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 199.7.83.42#53
DNS format error from 192.33.4.12#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.33.4.12#53
DNS format error from 192.203.230.10#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.203.230.10#53
DNS format error from 198.41.0.4#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 198.41.0.4#53
DNS format error from 192.228.79.201#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.228.79.201#53
DNS format error from 192.58.128.30#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.58.128.30#53
So basically bind was getting a malformed response from all the root level servers it was trying in the hint file named.ca

The Solution:

After enabling the debug mode and monitoring traffic with tcpdump, I found the problem. The culprit was my DSL router (AzTech 605EW). And apparently most home dsl routers will behave abnormally with large udp packets. The large udp packets are because bind uses EDNS when querying other DNS servers.

Adding the following configuration in named.conf disabled edns and solved the problem!

server ::/0 { edns no; };
server 0.0.0.0/0 { edns no; };
Posted by at
Labels:

11 comments:

  1. Antonio XanxessOctober 1, 2013 at 2:44 PM

    Thank you so much Khizer, solved!!! :D

    ReplyDelete
  2. BTL카지노December 31, 2020 at 10:21 AM

    www.omgqq.com 우리카지노사이트
    www.omgqq.com/thekingcasino 더킹카지노
    www.omgqq.com/sandscasino 샌즈카지노
    www.omgqq.com/firstcasino 퍼스트카지노
    www.omgqq.com/yescasino 예스카지노
    www.omgqq.com/supercasino 슈퍼카지노
    www.omgqq.com/gatsbycasino 개츠비카지노
    www.omgqq.com/33casino 33카지노
    www.omgqq.com/worldcasino 월드카지노
    www.omgqq.com/merit 메리트카지노

    ReplyDelete
  3. BTL카지노December 31, 2020 at 10:22 AM

    www.bbdd66.com 우리카지노사이트
    www.bbdd66.com/theking 더킹카지노
    www.bbdd66.com/sands 샌즈카지노
    www.bbdd66.com/first 퍼스트카지노
    www.bbdd66.com/yes 예스카지노
    www.bbdd66.com/super 슈퍼카지노
    www.bbdd66.com/gatsby 개츠비카지노
    www.bbdd66.com/33 33카지노
    www.bbdd66.com/world 월드카지노
    www.bbdd66.com/merit 메리트카지노

    ReplyDelete
  4. Assignment Writing Help UkJune 14, 2022 at 7:24 PM

    Most of the time students are required to submit a piece of writing within a deadline. If you are one of them, you must be wondering how to write my assignment. Well, it’s not difficult to write a perfect piece of writing, but you have to be very careful while selecting the topic and doing the research.

    ReplyDelete
  5. rainhardtjaggersNovember 9, 2022 at 7:07 AM

    First and foremost, its splendidly numerous recreation library ensures that there’s something out there for each kind of on line casino gamer around. New users can register to get a bonus of up to as} 5 파라오 카지노 BTC plus a hundred and eighty free spins. Sadly, considered one of Spin’s main omissions was the power to play with cryptocurrency. Luckily, Bitstarz fills that void for Canadian gamers completely.

    ReplyDelete
  6. AnonymousDecember 5, 2022 at 9:21 AM

    For certain variations 카지노사이트 of games, the methodology is spelled out on the glass above the screen. It'll tell you what type of game it is, what each spin pays out, and particulars on the jackpot. Machines are typically grouped by denomination, type and model name. Video slots have a HELP or INFO button that may walk you thru the assorted payouts, play lines, bonus games and special options. Slot players have a significantly better understanding of slot machines, Hanlin mentioned.

    ReplyDelete
  7. Recipe SpooningJune 27, 2024 at 3:42 PM

    Great reead thank you

    ReplyDelete
  8. adelelianNovember 18, 2024 at 1:44 PM

    This comment has been removed by the author.

    ReplyDelete
  9. AnonymousDecember 30, 2024 at 11:07 AM

    мегаиндекс ссылочная масса скрытая внешняя ссылка

    ReplyDelete
  10. AnonymousApril 4, 2025 at 8:22 AM

    I am setting up a bind local DNS server for our Internal applications ( say app1.mydomain.com, app2.mydomain.com .. etc) in the same LAN (10.x.y.0) the local DNS server and clients in the same LAN. The internal app domains works perfectly for Clients when they add entry in the /etc/resolv.conf the local DNS server IP 10.x.y.100. The problem is when they try to resolve google.com or external domains it fails. So I added a forwarders { 10.x.y.1 ; }; or [ do I have to add forwarders {8.8.8.8;}; both I tried but external resolution fails in both case ] entry in the local DNS server. 10.x.y.1 is the Fortigate F/W IP address which acts as default DNS resolver for all LAN networks in the department, for external DNS resolution. When I execute on my local DNS server # nslookup google.com 10.x.y.100 it returns ** server can't find google.com: SERVFAIL . But when I do # nslookup google.com 10.x.y.1 it resolves .. What wrong here ? Do I have to enable any thing in the default DNS resolver explicitly ?? (ie. Fortigate Firewall 10.x.y.1 ) for transfer DNS queries from the internal DNS to outside ? All internal domain queries works fine.

    ReplyDelete

Subscribe to: Post Comments (Atom)