problem with bind911 or 914

Kevin Oberman rkoberman at gmail.com
Wed May 22 19:28:29 UTC 2019 

On Wed, May 22, 2019 at 8:54 AM Wojciech Puchar <wojtek at puchar.net> wrote:

> i've reinstalled bind914 (and then tried 911 too) after updating to latest
> FreeBSD-11
>
> and the problem is that bind cannot perform any TCP transfers
>
> in logs i'm getting like this
>
> May 22 20:50:55 <3.6> puchar named[67338]: transfer of
> 'icetransport.pl/IN' from 84.10.41.58#53: connected using
> 194.1.144.90#44228
> May 22 20:50:55 <3.3> puchar named[67338]: transfer of
> 'icetransport.pl/IN' from 84.10.41.58#53: failed while receiving
> responses: host
> May 22 20:50:55 <3.6> puchar named[67338]: transfer of
> 'icetransport.pl/IN' from 84.10.41.58#53: Transfer status: host
> unreachable
> May 22 20:50:55 <3.6> puchar named[67338]: transfer of
> 'icetransport.pl/IN' from 84.10.41.58#53: Transfer completed: 0 messages,
> 0 recor
>
>
> while on 84.10.41.58 i see
>
> May 22 20:50:51 icetransport named[4479]: client @0x3bc271400
> 194.1.144.90#44228 (icetransport.pl): transfer of 'icetransport.pl/IN':
> AXFR started (serial 3873)
> May 22 20:50:51 icetransport named[4479]: client @0x3bc271400
> 194.1.144.90#44228 (icetransport.pl): transfer of 'icetransport.pl/IN':
> AXFR ended
> May 22 20:50:51 icetransport named[4479]: client @0x3c0129400
> 194.1.144.90#44231 (icetransport.pl): transfer of 'icetransport.pl/IN':
> AXFR started (serial 3873)
> May 22 20:50:51 icetransport named[4479]: client @0x3c0129400
> 194.1.144.90#44231 (icetransport.pl): transfer of 'icetransport.pl/IN':
> AXFR ended
>
>
> using FreeBSD base system host program i can transfer this domain without
> problem too.
>
>
> this way named now cannot update any of domains from master server.
>
> furthermore i see LOTS of things like this in log:
>
> May 22 20:51:10 <3.3> puchar named[67338]: dispatch 0x804544e00: shutting
> down due to TCP receive error: 193.108.91.73#53: host unreachable
>
>
>
> seems like named connect properly over tcp and then reports error.
>
> Any idea what's this and how to fix it?
>

Looks to me like either a firewall or policy issue, not BIND.

Back a decade ago, many firewalls defaulted to blocking tcp/53. This was
based on the unfortunate decision to list the use of tcp/53 as "SHOULD" in
the RFC instead of "MUST", but this should produce a timeout,not a host
unreachable. "host unreachable" is should be the result of an ICMP message
coming back from a router.

Take a look at the traffic with tcpdump or wireshark and see if you are
getting no response (firewall) or an ICMP Host Unreachable. If the latter,
it is coming from a router between you and Akamai and is the result of
policy; most likely of your ISP. In neither case is you local BIND at
fault. Historically ISPs have loved to play rude games with DNS, either
deliberately or due to software flaws in things like load balancers.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683

More information about the freebsd-ports mailing list