View previous topic :: View next topic |
Author |
Message |
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Sat Aug 24, 2019 10:24 am Post subject: [SOLVED] bind-9 keeps crashing with Hetzner.de forwarder |
|
|
EDIT: solved by emerging net-dns/bind-9.14.7.
My bind servers hosted inside Hetzner.de have been crashing since their update to version 9.14.4. The crash can be reliable triggered by a particular query:
Code: | dig @localhost 114.141.6.213.in-addr.arpa PTR |
The named.log has this to say about the issue:
Code: | 24-Aug-2019 12:00:30.807 resolver: notice: DNS format error from 213.133.100.100#53 resolving 114.141.6.213.in-addr.arpa/PTR for client ::1#52596: non-improving referral
24-Aug-2019 12:00:30.807 lame-servers: info: FORMERR resolving '114.141.6.213.in-addr.arpa/PTR/IN': 213.133.100.100#53
24-Aug-2019 12:00:30.808 resolver: notice: DNS format error from 213.133.98.98#53 resolving 114.141.6.213.in-addr.arpa/PTR for client ::1#52596: non-improving referral
24-Aug-2019 12:00:30.808 lame-servers: info: FORMERR resolving '114.141.6.213.in-addr.arpa/PTR/IN': 213.133.98.98#53
24-Aug-2019 12:00:30.808 resolver: notice: DNS format error from 213.133.99.99#53 resolving 114.141.6.213.in-addr.arpa/PTR for client ::1#52596: non-improving referral
24-Aug-2019 12:00:30.808 lame-servers: info: FORMERR resolving '114.141.6.213.in-addr.arpa/PTR/IN': 213.133.99.99#53
24-Aug-2019 12:00:30.808 general: critical: resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
24-Aug-2019 12:00:30.808 general: critical: #0 0x5571e42f6e40 in ??
24-Aug-2019 12:00:30.808 general: critical: #1 0x7f9d1e2844ca in ??
24-Aug-2019 12:00:30.808 general: critical: #2 0x7f9d1e42ed12 in ??
24-Aug-2019 12:00:30.809 general: critical: #3 0x7f9d1e431a69 in ??
24-Aug-2019 12:00:30.809 general: critical: #4 0x7f9d1e43662b in ??
24-Aug-2019 12:00:30.809 general: critical: #5 0x7f9d1e439d61 in ??
24-Aug-2019 12:00:30.809 general: critical: #6 0x7f9d1e43a7ed in ??
24-Aug-2019 12:00:30.809 general: critical: #7 0x7f9d1e43bc7c in ??
24-Aug-2019 12:00:30.809 general: critical: #8 0x7f9d1e2a1a7c in ??
24-Aug-2019 12:00:30.809 general: critical: #9 0x7f9d1ddf5458 in ??
24-Aug-2019 12:00:30.809 general: critical: #10 0x7f9d1dd2380f in ??
24-Aug-2019 12:00:30.809 general: critical: exiting (due to assertion failure) |
213.6.141.114 is some spammer trying to send a mail using my system, hence the reverse lookup.
213.133.98.98, 213.133.99.99 and 213.133.100.100 are the forwarders from the service provider (Hetzner.de).
When I try using other forwarders, like 8.8.8.8, the problem disappears. It seems like the Hetzner.de DNS servers are sending some malformed packets. Still, the bind/named should not crash on a malformed packet.
If I try to reverse lookup other IPs, it works fine.
I managed to tcpdump the queries and responses (tcpdump port 53 -w file.pcap), but I don't see anything wrong there. The .pcap file is here.
Anyone else having these issues?
What can I do, except switching to other DNS forwarders?
Last edited by araxon on Mon Oct 21, 2019 12:18 pm; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3929
|
Posted: Sat Aug 24, 2019 6:54 pm Post subject: |
|
|
What if you tried a simpler format like
Code: |
dig @localhost -x 114.141.6.213
|
Or maybe dig directly the forwarders ans see what happens...
This is the output I get:
Code: |
dig @localhost 114.141.6.213.in-addr.arpa PTR
; <<>> DiG 9.14.4 <<>> @localhost 114.141.6.213.in-addr.arpa PTR
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10457
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: eb44009e30251f4679401aed5d6188d11ebcda8c69db40f0 (good)
;; QUESTION SECTION:
;114.141.6.213.in-addr.arpa. IN PTR
;; Query time: 4000 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 24 21:58:25 EEST 2019
;; MSG SIZE rcvd: 83
|
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6177 Location: Dallas area
|
Posted: Sat Aug 24, 2019 7:14 pm Post subject: |
|
|
Code: | dig @localhost 114.141.6.213.in-addr.arpa PTR |
I don't think this is a valid query
Edit to add: reverse lookup is usually done with -x ie dig -x 213.6.141.114
or to see what domain it belongs to whois -h whois.arin.net 213.6.141.114
Code: | dig -x 213.133.100.100 +noall +answer
; <<>> DiG 9.14.4 <<>> -x 213.133.100.100 +noall +answer
;; global options: +cmd
100.100.133.213.in-addr.arpa. 21565 IN PTR ns3-coloc.hetzner.com. |
_________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Sun Aug 25, 2019 4:42 am Post subject: |
|
|
Thank you for your answer.
Anon-E-moose wrote: | Code: | dig @localhost 114.141.6.213.in-addr.arpa PTR |
I don't think this is a valid query
|
That was the last query seen in bind query.log before it crashes.
Anon-E-moose wrote: |
Edit to add: reverse lookup is usually done with -x ie dig -x 213.6.141.114
|
That indeed generates the same query and crashes my named daemon.
Anon-E-moose wrote: |
or to see what domain it belongs to whois -h whois.arin.net 213.6.141.114
|
I do know who this IP is assigned to. It is some service provider in Palestine. This IP is not the problem. The problem is the crashing bind named on my server. It should not crash on any bogus input... Am I in a wrong place? Should this be submitted to the bugtracker?
Anon-E-moose wrote: |
Code: | dig -x 213.133.100.100 +noall +answer
; <<>> DiG 9.14.4 <<>> -x 213.133.100.100 +noall +answer
;; global options: +cmd
100.100.133.213.in-addr.arpa. 21565 IN PTR ns3-coloc.hetzner.com. |
|
That is the resolver of my provider. I'm not sure what to do with it. This query resolves normally. |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Sun Aug 25, 2019 4:51 am Post subject: |
|
|
Thank you for your answer.
alamahant wrote: | What if you tried a simpler format like
Code: |
dig @localhost -x 114.141.6.213
|
|
The IP address in this query is backwards. When I do dig @localhost -x 213.6.141.114, it generates the query mentioned in my first post and crashes my named.
alamahant wrote: |
Or maybe dig directly the forwarders ans see what happens...
|
I did try that. It generates the same answers as seen in the original pcap file and it does not crash my named, because my named is not involved when I query the forwarders directly.
Code: |
phoenix ~ # dig @213.133.98.98 -x 213.6.141.114
; <<>> DiG 9.14.4 <<>> @213.133.98.98 -x 213.6.141.114
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40231
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;114.141.6.213.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
6.213.in-addr.arpa. 81614 IN NS ns.paltel.net.
6.213.in-addr.arpa. 81614 IN NS ns.ripe.net.
6.213.in-addr.arpa. 81614 IN NS dns.paltel.net.
;; Query time: 0 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Sun Aug 25 06:46:18 CEST 2019
;; MSG SIZE rcvd: 122
|
Code: |
phoenix ~ # dig @213.133.99.99 -x 213.6.141.114
; <<>> DiG 9.14.4 <<>> @213.133.99.99 -x 213.6.141.114
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48711
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;114.141.6.213.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
6.213.in-addr.arpa. 45607 IN NS ns.ripe.net.
6.213.in-addr.arpa. 45607 IN NS ns.paltel.net.
6.213.in-addr.arpa. 45607 IN NS dns.paltel.net.
;; Query time: 0 msec
;; SERVER: 213.133.99.99#53(213.133.99.99)
;; WHEN: Sun Aug 25 06:46:25 CEST 2019
;; MSG SIZE rcvd: 122
|
Code: |
phoenix ~ # dig @213.133.100.100 -x 213.6.141.114
; <<>> DiG 9.14.4 <<>> @213.133.100.100 -x 213.6.141.114
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11780
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;114.141.6.213.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
6.213.in-addr.arpa. 81602 IN NS ns.ripe.net.
6.213.in-addr.arpa. 81602 IN NS dns.paltel.net.
6.213.in-addr.arpa. 81602 IN NS ns.paltel.net.
;; Query time: 0 msec
;; SERVER: 213.133.100.100#53(213.133.100.100)
;; WHEN: Sun Aug 25 06:46:30 CEST 2019
;; MSG SIZE rcvd: 122
|
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6177 Location: Dallas area
|
Posted: Sun Aug 25, 2019 10:37 am Post subject: |
|
|
It's not a bug (at least it's not a bind bug), the query works perfectly fine on my system (bind 9.14.4).
Is this a virtual machine? If so do you compile your own bind or are you using the hosts?
If you compile it yourself, I'd probably rebuild it (bind and tools), there's a problem but it's your system not bind, at least as far as this "query" or you've got a misconfigured named.conf.
I'm not sure why you're using @localhost directly. No matter where you get the answer from, it goes in the named cache, and if localhost is the first nameserver in resolv.conf it'll use that first.
Code: | $ dig -x 213.133.100.100
; <<>> DiG 9.14.4 <<>> -x 213.133.100.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5413
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 597efcc430daf240070ba7545d6266050558900453af48f0 (good)
;; QUESTION SECTION:
;100.100.133.213.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.100.133.213.in-addr.arpa. 86393 IN PTR ns3-coloc.hetzner.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 25 05:42:13 CDT 2019
;; MSG SIZE rcvd: 120 |
The SERVER is my machine.
from resolv.conf
Code: | nameserver 127.0.0.1 |
If the answer is not in my named cache then it will send it to where it needs to, to get an answer then it goes in the cache.
Edit to add: what does "emerge -pv bind bind-tools" return _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Mon Aug 26, 2019 9:51 am Post subject: |
|
|
Anon-E-moose wrote: | It's not a bug (at least it's not a bind bug), the query works perfectly fine on my system (bind 9.14.4). |
It works for me too, when I change named.conf to use other forwarders (8.8.8.8 for example). But I do not want to change the forwarders and I certainly do not want my named to crash every so often. It is some combination of the query, one concrete forwarding server and current version of bind. It worked flawlessly with previous versions of bind, but sadly they are not in portage anymore.
Anon-E-moose wrote: | Is this a virtual machine? If so do you compile your own bind or are you using the hosts?
|
It is physical hardware. Bind has been emerged from portage. And it is not only a problem on one server, I have another client, who has his server in Hetzner.de too, and that instance of bind experiences the same problems.
Anon-E-moose wrote: | If you compile it yourself, I'd probably rebuild it (bind and tools), there's a problem but it's your system not bind, at least as far as this "query" or you've got a misconfigured named.conf.
|
I tried re-emerging it from portage and restarting the server to load all the new versions of all libraries, but the problem prevails. Named.conf remains unchanged from the previous version of bind, which worked fine.
Anon-E-moose wrote: | I'm not sure why you're using @localhost directly. No matter where you get the answer from, it goes in the named cache, and if localhost is the first nameserver in resolv.conf it'll use that first.
...
|
I use @localhost to go around other resolvers listed in /etc/resolv.conf, to isolate the issue and to be able to quickly confirm that it still exists.
I can certainly use other forwarders, or remove 127.0.0.1 and ::1 from /etc/resolv.conf altogether, but as the Authoritative DNS server provider for numerous domains I do need to continue running named and I do not like the idea of it crashing randomly. I would like the issue to be solved, rather than circumvented.
Anon-E-moose wrote: | Edit to add: what does "emerge -pv bind bind-tools" return |
Code: | phoenix ~ # emerge -pv bind bind-tools
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-dns/bind-9.14.4::gentoo USE="caps ssl zlib -berkdb -dlz -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -json -ldap -libressl -lmdb -mysql -odbc -postgres -python (-selinux) -static-libs -urandom -xml" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB
[ebuild R ] net-dns/bind-tools-9.14.4::gentoo USE="ipv6 readline ssl -doc -gssapi -idn -libedit -libressl -xml" 0 KiB
Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB
|
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6177 Location: Dallas area
|
Posted: Mon Aug 26, 2019 10:08 am Post subject: |
|
|
araxon wrote: |
I did try that. It generates the same answers as seen in the original pcap file and it does not crash my named, because my named is not involved when I query the forwarders directly.
Code: |
phoenix ~ # dig @213.133.98.98 -x 213.6.141.114
; <<>> DiG 9.14.4 <<>> @213.133.98.98 -x 213.6.141.114
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40231
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;114.141.6.213.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
6.213.in-addr.arpa. 81614 IN NS ns.paltel.net.
6.213.in-addr.arpa. 81614 IN NS ns.ripe.net.
6.213.in-addr.arpa. 81614 IN NS dns.paltel.net.
;; Query time: 0 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Sun Aug 25 06:46:18 CEST 2019
;; MSG SIZE rcvd: 122
|
|
That's not true, named is still involved, it just doesn't use the forwarders from named.conf or resolv.conf, it still uses the bind libraries, etc, along with the fact that the result of the query goes into the named cache. The query still gets resolved the same way, whether using @ directly or forwarders line in named.conf or nameserver in resolv.conf.
If it works directly then I suspect something in named.conf is likely your problem. It could be that previous versions of bind allowed certain things be done that it shouldn't have.
As far as previous versions, if you haven't cleaned your distfiles directory, then you should have the tar files, you just need the ebuild.
Edit to add: If you really think it's a bug, then file a bug report. It's possible that there's a bug in the way named.conf is being handled.
ETA2: what does dig @localhost +trace -x 213.6.141.114 show? _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Fri Aug 30, 2019 10:30 am Post subject: |
|
|
I'm sorry, I've been traveling and didn't have the means to try this.
Anon-E-moose wrote: |
ETA2: what does dig @localhost +trace -x 213.6.141.114 show? |
This seems to loop endlessly and never get to the query that would trigger the server to crash. Is the recursion disabled with +trace?
Code: | phoenix ~ # dig @localhost +trace -x 213.6.141.114
; <<>> DiG 9.14.4 <<>> @localhost +trace -x 213.6.141.114
; (2 servers found)
;; global options: +cmd
. 518397 IN NS a.root-servers.net.
. 518397 IN NS m.root-servers.net.
. 518397 IN NS d.root-servers.net.
. 518397 IN NS k.root-servers.net.
. 518397 IN NS j.root-servers.net.
. 518397 IN NS i.root-servers.net.
. 518397 IN NS l.root-servers.net.
. 518397 IN NS b.root-servers.net.
. 518397 IN NS c.root-servers.net.
. 518397 IN NS h.root-servers.net.
. 518397 IN NS e.root-servers.net.
. 518397 IN NS f.root-servers.net.
. 518397 IN NS g.root-servers.net.
. 518397 IN RRSIG NS 8 0 518400 20190912050000 20190830040000 59944 . a18HBLRxbDklfb/5azG80cAJFAwNd4luRiFgFM6QUhVNkCcYfHEPN86t H2TiEwxxwQE+gfKdMFc6F+2GT5MqMgJocYS4hxyai54iMtzN9/HzUxFQ IVeOWU2g2piycqavfFqMp4pfmbESjGj3zBs3BemvD8nS9JVc7PtDnYEN HJ6iYLCSZlLp3HPTOGqd2Kh9uBmujnsVqbUoVWT7H5vT3yblT2J3MdhV XcUYAwl8CneBJGql1VT1ZS5lvGriOnrRuX9evjgHlGZuRk5tiR8oc4aH ndEc28HdihJH4fmj6P0Zq2DnP3KOMV/voHCsF29hEyT3YhpCDng5U99E 994KgA==
;; Received 1137 bytes from ::1#53(localhost) in 0 ms
in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa.
in-addr.arpa. 86400 IN DS 47054 8 2 5CAFCCEC201D1933B4C9F6A9C8F51E51F3B39979058AC21B8DF1B1F2 81CBC6F2
in-addr.arpa. 86400 IN DS 53696 8 2 13E5501C56B20394DA921B51412D48B7089C5EB6957A7C58553C4D4D 424F04DF
in-addr.arpa. 86400 IN DS 63982 8 2 AAF4FB5D213EF25AE44679032EBE3514C487D7ABD99D7F5FEC3383D0 30733C73
in-addr.arpa. 86400 IN RRSIG DS 8 2 86400 20190912000000 20190829230000 62701 arpa. Ajnfl8yM1UgcblIyVvot5MyhUVsXG9BdjbbWLzRSLe/xBModCGgVdQoa SyAk+Zzv5b3KeTJ3Ce4xNJYD2fr09OvuNQpcOhpSfRLo/STYv3ZZYhIF 1LCWdymkQBMB9+8CZvYZzU9jIO7YJpccUljh0Q+czKUnAA17VPpR79PC bmw22JOw0yOfwQtABY8DOxDoVgGzCr05hOBbJvKqS+gQ/T7HqplvWIvM 7My/QacDJny7WYH0WrDaq8V861GMWH9EDWzj/vVQQQdraLVRQEMdIRBu uS1sGVQ8geq9EqF2OLcz5RZPdi6S8DtJkfeXAX6JapnjcEuj9rEbg7Cr Vtj3Zg==
;; Received 867 bytes from 199.7.91.13#53(d.root-servers.net) in 11 ms
213.in-addr.arpa. 86400 IN NS ns3.afrinic.net.
213.in-addr.arpa. 86400 IN NS pri.authdns.ripe.net.
213.in-addr.arpa. 86400 IN NS tinnie.arin.net.
213.in-addr.arpa. 86400 IN NS sns-pb.isc.org.
213.in-addr.arpa. 86400 IN NS ns4.apnic.net.
213.in-addr.arpa. 86400 IN NS ns3.lacnic.net.
213.in-addr.arpa. 86400 IN DS 20065 8 2 B01BBE15017A4B3CAF02FCEB1B75E440DC40241B91ECEA34E1100637 B6298436
213.in-addr.arpa. 86400 IN RRSIG DS 8 3 86400 20190906091348 20190815210003 37074 in-addr.arpa. dw2GNQvdUlnS1IGKbyXs90ro0AdkcMe6y4/MCice2U5gnefHwEExOXnO 72yTiBdM0Y37Kza8H4pubxyWiw/2KNQEa+2tqPS4oY5H41KV5O2Mn6I6 dJiPOdhOt4elBmSbGMt64jSvwen1w2L/l2brqLGHCorB7FIR9q1YGD9L 9Uw=
;; Received 494 bytes from 203.119.86.101#53(e.in-addr-servers.arpa) in 259 ms
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; Received 719 bytes from 2001:500:2e::1#53(sns-pb.isc.org) in 20 ms
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms
6.213.in-addr.arpa. 6858 IN NS ns.paltel.net.
6.213.in-addr.arpa. 6858 IN NS dns.paltel.net.
6.213.in-addr.arpa. 6858 IN NS ns.ripe.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 77 ms
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 360 bytes from 193.0.9.6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 59 ms
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 360 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 10 ms
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 360 bytes from 193.0.9.6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms
6.213.in-addr.arpa. 6857 IN NS ns.ripe.net.
6.213.in-addr.arpa. 6857 IN NS ns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 62 ms
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 360 bytes from 193.0.9.6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 6857 IN NS ns.ripe.net.
6.213.in-addr.arpa. 6857 IN NS dns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS ns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 78 ms
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 61 ms
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 360 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 6857 IN NS ns.ripe.net.
6.213.in-addr.arpa. 6857 IN NS ns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 62 ms
6.213.in-addr.arpa. 95928 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95928 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95928 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms
6.213.in-addr.arpa. 95927 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95927 IN NS ns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms
6.213.in-addr.arpa. 95927 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95927 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms
6.213.in-addr.arpa. 95927 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS ns.ripe.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms
6.213.in-addr.arpa. 6857 IN NS ns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS dns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS ns.ripe.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 63 ms
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 95927 IN NS ns.ripe.net.
6.213.in-addr.arpa. 95927 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS dns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms
6.213.in-addr.arpa. 6857 IN NS dns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS ns.ripe.net.
6.213.in-addr.arpa. 6857 IN NS ns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 63 ms
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 6857 IN NS ns.ripe.net.
6.213.in-addr.arpa. 6857 IN NS dns.paltel.net.
6.213.in-addr.arpa. 6857 IN NS ns.paltel.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 64 ms
6.213.in-addr.arpa. 172800 IN NS ns.ripe.net.
6.213.in-addr.arpa. 172800 IN NS ns.paltel.net.
6.213.in-addr.arpa. 172800 IN NS dns.paltel.net.
6.213.in-addr.arpa. 3600 IN NSEC 60.213.in-addr.arpa. NS RRSIG NSEC
6.213.in-addr.arpa. 3600 IN RRSIG NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=
;; BAD (HORIZONTAL) REFERRAL
;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms
6.213.in-addr.arpa. 95927 IN NS ns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS dns.paltel.net.
6.213.in-addr.arpa. 95927 IN NS ns.ripe.net.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups
|
What does "BAD (HORIZONTAL) REFERRAL" mean? Is it mismatch in delegation of that particular domain? |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6177 Location: Dallas area
|
Posted: Fri Aug 30, 2019 12:07 pm Post subject: |
|
|
araxon wrote: | What does "BAD (HORIZONTAL) REFERRAL" mean? Is it mismatch in delegation of that particular domain? |
My understanding is it's a lookup across the domain, not down.
if domain a0, b0, c0, a0 calls b0 and b0 is supposed to call c0, instead it calls b1 which is on the same level as b0.
You can google "bind BAD (HORIZONTAL) REFERRAL" for more info.
As for why it doesn't get to the query you're interested in, it's probably "dig: too many lookups"
Edit to add: googling your original problem, it has happened in the past (older versions of bind) so maybe they reintroduced a bug, I haven't checked with bind itself to see if they have reports for the version you're using. You might check and maybe even file a bug report. _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Fri Aug 30, 2019 5:18 pm Post subject: |
|
|
have you ruled out CFLAGS and USE(flags) ?
I have 2 NS's without forward first and I see those kinds of records countless times during the day. Much-a-do about geo-location banning in my opinion, but the point is, bind shouldn't crap out because of it. a revdep-rebuild perhaps. sounds more like a pointer issue than anything else imho. |
|
Back to top |
|
|
mwka n00b
Joined: 18 Sep 2019 Posts: 3
|
Posted: Wed Sep 18, 2019 12:29 pm Post subject: |
|
|
I can confirm this error - I have the very same problem on my server at Hetzner, since upgrading to bind 9.14.4. So I don't think it's a local issue. |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Wed Sep 25, 2019 11:02 am Post subject: |
|
|
mwka wrote: | I can confirm this error - I have the very same problem on my server at Hetzner, since upgrading to bind 9.14.4. So I don't think it's a local issue. |
I tried 9.14.5 and 9.14.6, but the problem remains unsolved.
I circumvented this issue by outright banning in iptables the few offending hosts, that tried to connect thus causing this "harmful" reverse lookup. Not really a solution. |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Wed Sep 25, 2019 4:20 pm Post subject: |
|
|
There is this chap having the same problem: https://github.com/opnsense/plugins/issues/1497
He opened a bug report with ISC bind team two weeks ago, and the bug report went private:
Quote: | It was set to private because it's probably a DoS-able vulnerability and they already had 2 reports but without crash dump or debug symbols of this error when I reported it to them. |
Hopefully it will be fixed soon. |
|
Back to top |
|
|
mwka n00b
Joined: 18 Sep 2019 Posts: 3
|
Posted: Wed Sep 25, 2019 4:51 pm Post subject: |
|
|
I reported the bug to the bind team and got the response that it should be fixed within 1 month. |
|
Back to top |
|
|
araxon Tux's lil' helper
Joined: 25 May 2011 Posts: 83
|
Posted: Thu Oct 17, 2019 7:50 am Post subject: |
|
|
Some new development...
The issue is now public.
The associated CVE is CVE-2019-6476. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|