Tuesday, December 27, 2011

FORMERR in Bind

Recently I was configuring Bind 9 on Centos 6.2. The setup was pretty straight forward: caching name server with one authoritative local domain. But the problem was that it was resolving my local authoritative domain but getting SERVFAIL for all external queries! I tried using forwardars, forward only, forward first but nothing helped. "dig @127.0.0.1 yahoo.com" was giving a SERVFAIL and "dig @192.168.1.1 yahoo.com" was working fine.

This problem almost made me crazy and was about to give up on bind until I found the problem. I tried every thing: I was configuring bind on a KVM VM, I thought may be its the Bridge or the KVM's internal network bug. I tried bind on a physical machine, but the problem was same! I tried it on Fedora 14, same problem! Next I tried it on different versions of bind, but the error was the exact same!

Here are the errors I was getting in the named.run logs:

DNS format error from 128.63.2.53#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 128.63.2.53#53
DNS format error from 202.12.27.33#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 202.12.27.33#53
DNS format error from 192.5.5.241#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.5.5.241#53
DNS format error from 192.36.148.17#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.36.148.17#53
DNS format error from 128.8.10.90#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 128.8.10.90#53
DNS format error from 193.0.14.129#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 193.0.14.129#53
DNS format error from 192.112.36.4#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.112.36.4#53
DNS format error from 199.7.83.42#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 199.7.83.42#53
DNS format error from 192.33.4.12#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.33.4.12#53
DNS format error from 192.203.230.10#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.203.230.10#53
DNS format error from 198.41.0.4#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 198.41.0.4#53
DNS format error from 192.228.79.201#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.228.79.201#53
DNS format error from 192.58.128.30#53 resolving yahoo.com/A for client 127.0.0.1#39224: reply has no answer
error (FORMERR) resolving 'yahoo.com/A/IN': 192.58.128.30#53
So basically bind was getting a malformed response from all the root level servers it was trying in the hint file named.ca

The Solution:

After enabling the debug mode and monitoring traffic with tcpdump, I found the problem. The culprit was my DSL router (AzTech 605EW). And apparently most home dsl routers will behave abnormally with large udp packets. The large udp packets are because bind uses EDNS when querying other DNS servers.

Adding the following configuration in named.conf disabled edns and solved the problem!

server ::/0 { edns no; };
server 0.0.0.0/0 { edns no; };

7 comments:

  1. Thank you so much Khizer, solved!!! :D

    ReplyDelete
  2. www.omgqq.com 우리카지노사이트
    www.omgqq.com/thekingcasino 더킹카지노
    www.omgqq.com/sandscasino 샌즈카지노
    www.omgqq.com/firstcasino 퍼스트카지노
    www.omgqq.com/yescasino 예스카지노
    www.omgqq.com/supercasino 슈퍼카지노
    www.omgqq.com/gatsbycasino 개츠비카지노
    www.omgqq.com/33casino 33카지노
    www.omgqq.com/worldcasino 월드카지노
    www.omgqq.com/merit 메리트카지노

    ReplyDelete
  3. www.bbdd66.com 우리카지노사이트
    www.bbdd66.com/theking 더킹카지노
    www.bbdd66.com/sands 샌즈카지노
    www.bbdd66.com/first 퍼스트카지노
    www.bbdd66.com/yes 예스카지노
    www.bbdd66.com/super 슈퍼카지노
    www.bbdd66.com/gatsby 개츠비카지노
    www.bbdd66.com/33 33카지노
    www.bbdd66.com/world 월드카지노
    www.bbdd66.com/merit 메리트카지노

    ReplyDelete
  4. Most of the time students are required to submit a piece of writing within a deadline. If you are one of them, you must be wondering how to write my assignment. Well, it’s not difficult to write a perfect piece of writing, but you have to be very careful while selecting the topic and doing the research.

    ReplyDelete
  5. First and foremost, its splendidly numerous recreation library ensures that there’s something out there for each kind of on line casino gamer around. New users can register to get a bonus of up to as} 5 파라오 카지노 BTC plus a hundred and eighty free spins. Sadly, considered one of Spin’s main omissions was the power to play with cryptocurrency. Luckily, Bitstarz fills that void for Canadian gamers completely.

    ReplyDelete
  6. For certain variations 카지노사이트 of games, the methodology is spelled out on the glass above the screen. It'll tell you what type of game it is, what each spin pays out, and particulars on the jackpot. Machines are typically grouped by denomination, type and model name. Video slots have a HELP or INFO button that may walk you thru the assorted payouts, play lines, bonus games and special options. Slot players have a significantly better understanding of slot machines, Hanlin mentioned.

    ReplyDelete