DNS Issues Urgent

K

kglass-conscious

New Member
Hi,

Emailed late last night to access@

Our domain .conscious.co.uk has been down since approx Sunday 3pm UK time.

nslookup gives
;; Got SERVFAIL reply from 194.168.4.100, trying next server

Server: 194.168.8.100
Address: 194.168.8.100#53

we are using these nameservers

dns1.zoneedit.com

dns2.zoneedit.com

Are you aware of any issues and what may be the cause of this?
 
hello, can you confirm your primary IP is set properly to send zoneedit zone files:

Please add the following IP addresses to your master nameserver ACL
  • 64.68.198.91
In "bind" parlance:
zone "conscious.co.uk" {
type master;
file "conscious.co.uk.zone";
allow-transfer { 64.68.198.91/32; };
also-notify { 64.68.198.91; };
};

at its registrar the domain is delegated to:
Name servers:
b.ns.buddyns.com
c.ns.buddyns.com
dns1.zoneedit.com
dns2.zoneedit.com


as well this is not a access concern so you can only use the forum.
 
we don't lock down axfr results, it is fully accessible to anyone because we secure it by having split horizon so they should be able to zone transfer without issue. I'm under the impression the zone transfer is pulled from us, rather than us pushing it to the other nameservers

our nameservers:
ns1.conscious.co.uk (primary / soa)
ns2.conscious.co.uk

and the other nameservers with authority over conscious.co.uk
b.ns.buddyns.com
c.ns.buddyns.com
dns2.zoneedit.com

digging out SOA record from an off site server with a completely separate resolver, we can resolve:

dig conscious.co.uk @ns1.conscious.co.uk. soa +short
dig conscious.co.uk @ns2.conscious.co.uk. soa +short
dig conscious.co.uk @b.ns.buddyns.com. soa +short
dig conscious.co.uk @c.ns.buddyns.com. soa +short

although:
dig conscious.co.uk @dns2.zoneedit.com. soa +short

doesn't return results

same with trying to obtain a list of the name servers, running a dig for ns returns results from all servers except from the zoneedit one.

I can perform a zone transfer from my off site vm to our primary / secondary

dig conscious.co.uk axfr @ns1.conscious.co.uk
dig conscious.co.uk axfr @ns2.conscious.co.uk

I can't see any sort of blocking on 64.68.198.91

Also, i can see the name servers under who is, it lines up with what was responded to on the forum though we can get the conscious records from buddyns whereas none of those zoneedit ones work.
 
zoneedit does not have the zone files as we cannot slave from your listed primary and we have no zone cache available.. zoneedit is secondary DNS for the domains and it uses NOTIFY top let us know there is an zone update...

83.222.239.238
(web15.conscious.co.uk)
[td]
Primary Name Servers:​
[/td]​
 
Hi Sandy, we have done some further testing and can see the server at 64.68.198.91 connecting to our ns2.conscious.co.uk server, it seems to be dropping the connection.

below is a section from our axfr logs

@4000000067d004e831060a8c tcpserver: status: 0/40
@4000000067d004fc0024377c tcpserver: status: 1/40
@4000000067d004fc00243b64 tcpserver: pid 2254483 from 64.68.198.91
@4000000067d004fc00243b64 tcpserver: ok 2254483 0:83.222.239.238:53 :64.68.198.91::44757
@4000000067d004fc00288cdc 4044c65b:aed5:6f25 00fc conscious.co.uk
@4000000067d004fc0583d3bc axfrdns: fatal: unable to read from network: connection reset
@4000000067d004fc058542ec tcpserver: end 2254483 status 28416

looking at a packet trace, i can see the connection establish, then data is being sent from ns2.conscious.co.uk towards xfr0.zoneedit.com that includes the axfr data being transferred as we would expect, however, we start receiving reset packets from xfr0.zoneedit.com at the end of the conversation

we've also noticed a number of other similar threads posted in the last 24 hours for customers experiencing similar issues.

Could you review and advise what you think is going on here please.
 
Hi Brad

Thanks for the response. Could you clarify why we need to change this. Everything has been working fine for years until it suddenly stopped working properly on Sunday ~ 3pm.

Thanks
 
I was wrong about the TTL for NS records being a factor. Are you by chance using axfrdns? We've had a few reports of axfrdns no longer working to transfer zones.
 
Hi Brad,

Thanks for the response.

We are using axfrdns and I can see that the other post resolved the issue by switching to powerdns.

Are you / the team aware of the specific change made that has caused this?

I'm sure you can appreciate, there will be a range of customer’s using the djb suite’s axfrdns (and potentially other software that will also be impacted by the issue) and the burden should not be on the customer to have to alter their production environments in order to cater to an issue introduced by another party.

Can you please confirm if zoneedit are investigating a fix?

I am happy to help provide logs / packet captures if it proves useful.
 
We've researched the issue, but are not able to provide a fix. Based on this forum post from 2023, it seems like a problem within axfrdns which the developers of that software would need to fix:

Re: BIND 9.18 unable to successfully transfer zone from axfrdns primary

www.mail-archive.com www.mail-archive.com
axfrdns apparently does not include the 'question' section in the response, which is required.
Also, here is a document about all the various problems with the djbdns suite if you're interested - https://jdebp.uk/FGA/djbdns-problems.html
 
You must log in or register to reply here.
Back
Top