When deploying any new product within a data center, a functioning DNS is critical. This is especially true when the product involves a large number of virtual machines and supplementary infrastructure. We've been helping on the design of a new compute platform based on Kubernetes.
In many environments, operational standards for the teams and existing skillsets dictate the technologies to be used. This often leads to the selection of BIND (Berkeley Internet Name Domain), a widely used DNS server often bundled all major operating systems, like RHEL and Ubuntu.
Because of these factors, BIND became the required DNS solution for this particular product deployment. As a result, we were tasked with configuring and deploying BIND9 on Ubuntu. Specifically, the distribution of choice was Ubuntu LTS, and the BIND9 version shipped with the distribution was 9.18.30-0ubuntu0.22.04.2.
I was on the verge of deploying BIND9, accompanied by a tcpdump in my pocket.
BIND9 as a DNS forwarder
This process unfolded relatively smoothly. BIND9 is capable of forwarding all queries to upstream recursive resolvers, referred to as forwarders in this context:
root@ubu2204:/etc/bind# cat named.conf.options
acl dcnet {
127.0.0.0/8;
192.168.0.0/16;
172.16.0.0/16;
10.0.0.0/8;
};
options {
directory "/var/cache/bind";
allow-query { any; };
allow-recursion { dcnet; };
forwarders {
1.1.1.1;
1.0.0.1;
8.8.4.4;
8.8.8.8;
};
forward only;
recursion yes; // this is the default
dnssec-validation auto;
listen-on-v6 { any; };
};
Credit should be given where it is due. Clearly, BIND9 has no issue forwarding
all queries to upstream resolvers, provided that one does not forget to set
forward only; in the configuration, as illustrated above.
If you forget to set forward only; and relies on the default value, which is
forward first;, you will fail to meet the requirement of forwarding all
queries to the designated forwarders. In such a scenario, BIND9 may
intermittently act as a fully recursive resolver for certain queries, and if the
firewall is not configured to permit UDP/53 and TCP/53 traffic to the entire
internet, then you are out of luck.
BIND9 as a Fully Recursive DNS Resolver
The deployment did not proceed as expected. Following the preparatory stages, which involved permitting UDP/53 and TCP/53 to the entirety of 0.0.0.0/0, it was time to configure a proper recursive DNS resolver utilizing BIND9.
Operating a fully recursive DNS server provides numerous features. One such benefit is the ability to mirror the DNS root zone (as outlined in RFC 8806) and establish direct communication with TLD nameservers.
However, lets start with a more fundamental approach, wherein we use hints for the root zone:
root@ubu2204:/etc/bind# cat named.conf.options
acl dcnet {
127.0.0.0/8;
192.168.0.0/16;
172.16.0.0/16;
10.0.0.0/8;
};
options {
directory "/var/cache/bind";
allow-query { any; };
allow-recursion { dcnet; };
recursion yes; // this is the default
dnssec-validation auto;
listen-on-v6 { any; };
};
root@ubu2204:/etc/bind# cat named.conf.default-zones
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
And now it is the time to test the resolver in action.
root@ubu2204:/etc/bind# systemctl restart named.service root@ubu2204:/etc/bind# dig @127.0.0.1 push.services.mozilla.com A ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 push.services.mozilla.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60041 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 74c709b026004e280100000067e968348c1ca1681a409031 (good) ;; QUESTION SECTION: ;push.services.mozilla.com. IN A ;; Query time: 220 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Mar 30 15:50:12 UTC 2025 ;; MSG SIZE rcvd: 82
A SERVFAIL on the first query? How unlucky of us. Lets try another query, something else this time:
root@ubu2204:/etc/bind# dig @127.0.0.1 letsencrypt.org A ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 letsencrypt.org A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20884 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 9b209a1ccb16fbea0100000067e96875ef0451f6a0ba0a90 (good) ;; QUESTION SECTION: ;letsencrypt.org. IN A ;; Query time: 388 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Mar 30 15:51:17 UTC 2025 ;; MSG SIZE rcvd: 72
Clearly we're up to something here. But what exactly is going on? Lets find out.
Troubleshooting the BIND9 resolver algorithm
The low-hanging fruit that we should tackle first are the logs generated by BIND9 itself, which may provide some insights into what's going on.
Our configuration will get a logging section:
logging {
channel troubleshooting {
file "/var/log/named/query.log";
severity debug;
print-time yes;
print-severity yes;
print-category yes;
};
category resolver { troubleshooting; };
category queries { troubleshooting; };
category query-errors { troubleshooting; };
category lame-servers { troubleshooting; };
category cname { troubleshooting; };
};
acl dcnet {
127.0.0.0/8;
192.168.0.0/16;
172.16.0.0/16;
10.0.0.0/8;
};
options {
directory "/var/cache/bind";
allow-query { any; };
allow-recursion { dcnet; };
recursion yes; // this is the default
dnssec-validation auto;
listen-on-v6 { any; };
};
And now it's time to investigate the problem further.
root@ubu2204:/etc/bind# systemctl restart named root@ubu2204:/etc/bind# dig @127.0.0.1 push.services.mozilla.com A ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 push.services.mozilla.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4721 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 92fa3fb389977e970100000067e96dea9858df94463da597 (good) ;; QUESTION SECTION: ;push.services.mozilla.com. IN A ;; Query time: 219 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Mar 30 16:14:34 UTC 2025 ;; MSG SIZE rcvd: 82 root@ubu2204:/etc/bind# cat /var/log/named/query.log 30-Mar-2025 16:14:03.243 resolver: debug 1: fetch: ./DNSKEY 30-Mar-2025 16:14:03.247 resolver: debug 1: fetch: ./NS 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:500:9f::42#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:500:1::53#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:500:12::d0d#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:dc3::35#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:500:2d::d#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2801:1b8:10::b#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:500:2f::f#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:7fd::1#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:500:a8::e#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53 30-Mar-2025 16:14:03.247 lame-servers: info: network unreachable resolving './NS/IN': 2001:7fe::53#53 30-Mar-2025 16:14:03.295 resolver: debug 1: fetch: ./DNSKEY 30-Mar-2025 16:14:03.295 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53 30-Mar-2025 16:14:03.295 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2801:1b8:10::b#53 30-Mar-2025 16:14:03.295 lame-servers: info: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53 30-Mar-2025 16:14:03.451 resolver: debug 1: resolver priming query complete: success 30-Mar-2025 16:14:34.679 queries: info: client @0x7f438c1c2988 127.0.0.1#37297 (push.services.mozilla.com): query: push.services.mozilla.com IN A +E(0)K (127.0.0.1) 30-Mar-2025 16:14:34.679 resolver: debug 1: fetch: push.services.mozilla.com/A 30-Mar-2025 16:14:34.679 resolver: debug 1: fetch: com/NS 30-Mar-2025 16:14:34.739 resolver: debug 1: fetch: mozilla.com/NS 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:502:7094::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:500:856e::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:500:d937::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:83eb::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:502:8cc::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:501:b1f9::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:231d::2:30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:39c1::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:d2d::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:a83e::2:30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:eea3::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:502:1ca1::30#53 30-Mar-2025 16:14:34.739 lame-servers: info: network unreachable resolving 'mozilla.com/NS/IN': 2001:503:d414::30#53 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: services.mozilla.com/NS 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns4-64.akam.net/A 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns4-64.akam.net/AAAA 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns5-65.akam.net/A 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns5-65.akam.net/AAAA 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns7-66.akam.net/A 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns7-66.akam.net/AAAA 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns1-240.akam.net/A 30-Mar-2025 16:14:34.787 resolver: debug 1: fetch: ns1-240.akam.net/AAAA 30-Mar-2025 16:14:34.843 lame-servers: info: network unreachable resolving 'ns4-64.akam.net/AAAA/IN': 2001:502:1ca1::30#53 30-Mar-2025 16:14:34.843 lame-servers: info: network unreachable resolving 'ns4-64.akam.net/AAAA/IN': 2001:503:a83e::2:30#53 30-Mar-2025 16:14:34.843 lame-servers: info: network unreachable resolving 'ns4-64.akam.net/A/IN': 2001:503:a83e::2:30#53 30-Mar-2025 16:14:34.843 lame-servers: info: network unreachable resolving 'ns4-64.akam.net/AAAA/IN': 2001:502:8cc::30#53 30-Mar-2025 16:14:34.843 lame-servers: info: network unreachable resolving 'ns4-64.akam.net/A/IN': 2001:502:8cc::30#53 30-Mar-2025 16:14:34.899 query-errors: info: client @0x7f438c1c2988 127.0.0.1#37297 (push.services.mozilla.com): query failed (SERVFAIL) for push.services.mozilla.com/IN/A at query.c:7841
On March 30, 2025 at 4:14:03 PM, we observe an initial complaint from the resolver regarding all IPv6 root servers listed in the root.hint file. Despite these complaints, the process ultimately concludes successfully, as evidenced by this log entry:
30-Mar-2025 16:14:03.451 resolver: debug 1: resolver priming query complete: success
A few moments later, at 4:14:34 PM, our query is processed and the situation becomes intriguing. The logs reveal a complaint about the unreachability of Mozilla's nameservers over IPv6. This is expected, given that the data center is not yet fully dual-stack capable. However, this should not prevent BIND9 from resolving domains that have NS servers configured for both IPv4 and IPv6. No matter if you lack IPv6 or not, all NS on the path are dual stacked.
To verify our IPv6 routing table and network addresses, ensuring no dual-stack connectivity issues or packet drops, we examine the AF_INET6 routing table:
root@ubu2204:/etc/bind# ip -6 route show ::1 dev lo proto kernel metric 256 pref medium fe80::/64 dev enp1s0 proto kernel metric 256 pref medium root@ubu2204:/etc/bind# ip -6 -br addr show lo UNKNOWN ::1/128 enp1s0 UP fe80::5054:ff:fed0:88d8/64
Everything appears normal. This network is IPv4-only, and the Linux kernel
assigns a link-local unicast address from the fe80::/10 range, consistent with
longstanding practice in the Linux OS, or any modern OS for that matter. It
is dificult to find an OS in the DataCenter that is not dual-stack capable
out of the box. With no default IPv6 route present, only link-local fe80::/10
packets are transmitted, everything else results in a network unreachable.
Let BIND9 ignore all IPv6 nameservers
There is a trick that can prevent BIND from communicating with specific servers of our choosing when we know that certain DNS servers are malfunctioning. We could abuse this option in this scenario. To ignore the entire IPv6 space for our testing purposes, we can utilize the following snippet in our named.conf file.
options {
...
blackhole {
::0/0;
};
...
};
According to the documentation, this option defines an address match list of hosts to ignore, where the server will neither respond to queries from nor send queries to these addresses.
This is precisely what we aim to achieve here. Now, let us verify whether this configuration has successfully prompted BIND9 to ignore IPv6 and only use authoritative servers over IPv4:
root@ubu2204:/etc/bind# echo -n '' >/var/log/named/query.log root@ubu2204:/etc/bind# systemctl restart named root@ubu2204:/etc/bind# cat /var/log/named/query.log 30-Mar-2025 16:31:50.102 resolver: debug 1: fetch: ./DNSKEY 30-Mar-2025 16:31:50.102 resolver: debug 1: fetch: ./NS 30-Mar-2025 16:31:50.150 resolver: debug 1: fetch: ./DNSKEY 30-Mar-2025 16:31:50.286 resolver: debug 1: resolver priming query complete: success
Luckily, we're witnessing some good progress, with the elimination of annoying lame-servers warnings for the unreachable IPv6 network address space, so let's test it again:
root@ubu2204:/etc/bind# dig @127.0.0.1 push.services.mozilla.com A ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 push.services.mozilla.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35781 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 2cedee529fd328cb0100000067e9726aa1c882324193fdc6 (good) ;; QUESTION SECTION: ;push.services.mozilla.com. IN A ;; Query time: 371 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Mar 30 16:33:46 UTC 2025 ;; MSG SIZE rcvd: 82 root@ubu2204:/etc/bind# cat /var/log/named/query.log 30-Mar-2025 16:33:46.586 queries: info: client @0x7f1a501c5ec8 127.0.0.1#39540 (push.services.mozilla.com): query: push.services.mozilla.com IN A +E(0)K (127.0.0.1) 30-Mar-2025 16:33:46.586 resolver: debug 1: fetch: push.services.mozilla.com/A 30-Mar-2025 16:33:46.586 resolver: debug 1: fetch: com/NS 30-Mar-2025 16:33:46.646 resolver: debug 1: fetch: mozilla.com/NS 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: services.mozilla.com/NS 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns4-64.akam.net/A 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns4-64.akam.net/AAAA 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns5-65.akam.net/A 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns5-65.akam.net/AAAA 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns7-66.akam.net/A 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns7-66.akam.net/AAAA 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns1-240.akam.net/A 30-Mar-2025 16:33:46.698 resolver: debug 1: fetch: ns1-240.akam.net/AAAA 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-258.awsdns-32.com/A 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-258.awsdns-32.com/AAAA 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-679.awsdns-20.net/A 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-679.awsdns-20.net/AAAA 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-1471.awsdns-55.org/A 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-1471.awsdns-55.org/AAAA 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-1655.awsdns-14.co.uk/A 30-Mar-2025 16:33:46.890 resolver: debug 1: fetch: ns-1655.awsdns-14.co.uk/AAAA 30-Mar-2025 16:33:46.958 query-errors: info: client @0x7f1a501c5ec8 127.0.0.1#39540 (push.services.mozilla.com): query failed (failure) for push.services.mozilla.com/IN/A at query.c:7841
Unfortunately, we still encounter a SERVFAIL response. Although BIND9 has
abandoned its attempts to communicate with IPv6 networks, it still retrieve NS
records of domains in the chain for both IPv4 and IPv6 address families. It is
logical, as it must first obtain AAAA records for all NS servers to later
conclude which ones are matching our defined blackhole.
tcpdump to the rescue
It is about time to catch BIND9 during the crime with tcpdump and look for
some clues there. First, lets see how many queries are sent. Bellow is
a snipped from a PCAP file, decoded as text by Wireshark, that decodes
for us the DNS packets, albeit we lose Sections, Flags and Rcode. First,
a filter to only list DNS Queries on the wire:
No. Time Source Destination Protocol Length Info 31 12.731132 192.168.0.20 198.97.190.53 DNS 86 Standard query 0xa479 NS com OPT 33 12.789699 192.168.0.20 192.48.79.30 DNS 94 Standard query 0xac7b NS mozilla.com OPT 35 12.841169 192.168.0.20 198.97.190.53 DNS 98 Standard query 0x709e A ns4-64.akam.net OPT 36 12.841280 192.168.0.20 198.97.190.53 DNS 98 Standard query 0x2449 AAAA ns4-64.akam.net OPT 37 12.841320 192.168.0.20 198.97.190.53 DNS 98 Standard query 0x3c20 A ns5-65.akam.net OPT 38 12.841362 192.168.0.20 198.97.190.53 DNS 98 Standard query 0xbec9 AAAA ns5-65.akam.net OPT 39 12.841395 192.168.0.20 198.97.190.53 DNS 98 Standard query 0xb55c A ns7-66.akam.net OPT 40 12.841432 192.168.0.20 198.97.190.53 DNS 98 Standard query 0x7ff8 AAAA ns7-66.akam.net OPT 41 12.841519 192.168.0.20 198.97.190.53 DNS 99 Standard query 0x3208 A ns1-240.akam.net OPT 42 12.841580 192.168.0.20 198.97.190.53 DNS 99 Standard query 0xa938 AAAA ns1-240.akam.net OPT 45 12.897763 192.168.0.20 192.48.79.30 DNS 98 Standard query 0xedb0 A ns5-65.akam.net OPT 46 12.897821 192.168.0.20 192.48.79.30 DNS 98 Standard query 0xe1c8 AAAA ns4-64.akam.net OPT 48 12.898833 192.168.0.20 192.48.79.30 DNS 98 Standard query 0xc640 A ns4-64.akam.net OPT 50 12.907372 192.168.0.20 192.48.79.30 DNS 98 Standard query 0x48ac AAAA ns5-65.akam.net OPT 52 12.908306 192.168.0.20 192.48.79.30 DNS 98 Standard query 0x1fce A ns7-66.akam.net OPT 54 12.909391 192.168.0.20 192.48.79.30 DNS 98 Standard query 0xee3c AAAA ns7-66.akam.net OPT 57 12.917976 192.168.0.20 192.48.79.30 DNS 99 Standard query 0x5777 A ns1-240.akam.net OPT 58 12.918031 192.168.0.20 192.48.79.30 DNS 99 Standard query 0x4793 AAAA ns1-240.akam.net OPT 60 12.956048 192.168.0.20 184.26.160.67 DNS 98 Standard query 0x5967 A ns5-65.akam.net OPT 62 12.962253 192.168.0.20 184.26.160.67 DNS 98 Standard query 0x8251 AAAA ns4-64.akam.net OPT 64 12.963301 192.168.0.20 184.26.160.67 DNS 98 Standard query 0x76d9 A ns4-64.akam.net OPT 66 12.964083 192.168.0.20 184.26.160.67 DNS 98 Standard query 0x4b3e AAAA ns5-65.akam.net OPT 69 12.965082 192.168.0.20 184.26.160.67 DNS 98 Standard query 0x4412 A ns7-66.akam.net OPT 70 12.965626 192.168.0.20 184.26.160.67 DNS 98 Standard query 0x2818 AAAA ns7-66.akam.net OPT 72 12.978969 192.168.0.20 184.26.160.67 DNS 99 Standard query 0xcc21 A ns1-240.akam.net OPT 74 12.982219 192.168.0.20 184.26.160.67 DNS 99 Standard query 0xc9f2 AAAA ns1-240.akam.net OPT 76 13.026535 192.168.0.20 184.85.248.65 DNS 103 Standard query 0xa592 NS services.mozilla.com OPT 85 13.225917 192.168.0.20 192.48.79.30 DNS 103 Standard query 0x1ea0 A ns-258.awsdns-32.com OPT 86 13.225937 192.168.0.20 192.48.79.30 DNS 103 Standard query 0xee50 AAAA ns-258.awsdns-32.com OPT 87 13.225942 192.168.0.20 192.48.79.30 DNS 103 Standard query 0x7f5c A ns-679.awsdns-20.net OPT 88 13.225947 192.168.0.20 192.48.79.30 DNS 103 Standard query 0xcf94 AAAA ns-679.awsdns-20.net OPT
The number of queries is remarkably low, amounting to a modest total of 31
queries, which starts from the com zone. While it is far from an ideal
scenario, we have the advantage of all NS servers on the recursion path
possessing dual-stack capabilities. Considering the default limit for
max-recursion-queries is 50 for BIND 9.18.30, we are quite far from reaching
that threshold. Nevertheless, let us investigate the DNS Response packets to all
those queries:
No. Time Source Destination Protocol Length Info 32 12.788728 198.97.190.53 192.168.0.20 DNS 1205 Standard query response 0xa479 NS com NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 34 12.838857 192.48.79.30 192.168.0.20 DNS 532 Standard query response 0xac7b NS mozilla.com NS ns1-240.akam.net NS ns7-66.akam.net NS ns5-65.akam.net NS ns4-64.akam.net NSEC3 RRSIG NSEC3 RRSIG OPT 43 12.895923 198.97.190.53 192.168.0.20 DNS 1214 Standard query response 0x3c20 A ns5-65.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 44 12.896978 198.97.190.53 192.168.0.20 DNS 1214 Standard query response 0x2449 AAAA ns4-64.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 47 12.898160 198.97.190.53 192.168.0.20 DNS 1214 Standard query response 0x709e A ns4-64.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 49 12.906449 198.97.190.53 192.168.0.20 DNS 1214 Standard query response 0xbec9 AAAA ns5-65.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 51 12.907577 198.97.190.53 192.168.0.20 DNS 1214 Standard query response 0xb55c A ns7-66.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 53 12.908654 198.97.190.53 192.168.0.20 DNS 1214 Standard query response 0x7ff8 AAAA ns7-66.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 55 12.916370 198.97.190.53 192.168.0.20 DNS 1215 Standard query response 0x3208 A ns1-240.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 56 12.917111 198.97.190.53 192.168.0.20 DNS 1215 Standard query response 0xa938 AAAA ns1-240.akam.net NS a.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 A 192.41.162.30 A 192.55.83.30 AAAA 2001:503:a83e::2:30 AAAA 2001:503:231d::2:30 AAAA 2001:503:83eb::30 AAAA 2001:500:856e::30 AAAA 2001:502:1ca1::30 AAAA 2001:503:d414::30 AAAA 2001:503:eea3::30 AAAA 2001:502:8cc::30 AAAA 2001:503:39c1::30 AAAA 2001:502:7094::30 AAAA 2001:503:d2d::30 AAAA 2001:500:d937::30 AAAA 2001:501:b1f9::30 OPT 59 12.955032 192.48.79.30 192.168.0.20 DNS 960 Standard query response 0xedb0 A ns5-65.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 61 12.961475 192.48.79.30 192.168.0.20 DNS 960 Standard query response 0xe1c8 AAAA ns4-64.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 63 12.962670 192.48.79.30 192.168.0.20 DNS 960 Standard query response 0xc640 A ns4-64.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 65 12.963527 192.48.79.30 192.168.0.20 DNS 960 Standard query response 0x48ac AAAA ns5-65.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 67 12.964368 192.48.79.30 192.168.0.20 DNS 960 Standard query response 0x1fce A ns7-66.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 68 12.964979 192.48.79.30 192.168.0.20 DNS 960 Standard query response 0xee3c AAAA ns7-66.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 71 12.978177 192.48.79.30 192.168.0.20 DNS 961 Standard query response 0x5777 A ns1-240.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 73 12.981443 192.48.79.30 192.168.0.20 DNS 961 Standard query response 0x4793 AAAA ns1-240.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 75 13.023833 184.26.160.67 192.168.0.20 DNS 102 Standard query response 0x5967 A ns5-65.akam.net A 184.85.248.65 OPT 77 13.034236 184.26.160.67 192.168.0.20 DNS 152 Standard query response 0x8251 AAAA ns4-64.akam.net SOA internal.akam.net OPT 78 13.035561 184.26.160.67 192.168.0.20 DNS 152 Standard query response 0x4b3e AAAA ns5-65.akam.net SOA internal.akam.net OPT 79 13.037305 184.26.160.67 192.168.0.20 DNS 102 Standard query response 0x76d9 A ns4-64.akam.net A 84.53.139.64 OPT 80 13.040924 184.26.160.67 192.168.0.20 DNS 152 Standard query response 0x2818 AAAA ns7-66.akam.net SOA internal.akam.net OPT 81 13.041386 184.26.160.67 192.168.0.20 DNS 102 Standard query response 0x4412 A ns7-66.akam.net A 96.7.49.66 OPT 82 13.046981 184.26.160.67 192.168.0.20 DNS 103 Standard query response 0xcc21 A ns1-240.akam.net A 193.108.91.240 OPT 83 13.049779 184.26.160.67 192.168.0.20 DNS 115 Standard query response 0xc9f2 AAAA ns1-240.akam.net AAAA 2600:1401:2::f0 OPT 84 13.225000 184.85.248.65 192.168.0.20 DNS 228 Standard query response 0xa592 NS services.mozilla.com NS ns-258.awsdns-32.com NS ns-1655.awsdns-14.co.uk NS ns-679.awsdns-20.net NS ns-1471.awsdns-55.org OPT 89 13.282766 192.48.79.30 192.168.0.20 DNS 718 Standard query response 0xcf94 AAAA ns-679.awsdns-20.net NS g-ns-469.awsdns-20.net NS g-ns-790.awsdns-20.net NS g-ns-1364.awsdns-20.net NS g-ns-1940.awsdns-20.net NSEC3 RRSIG NSEC3 RRSIG A 205.251.193.213 AAAA 2600:9000:5301:d500::1 A 205.251.195.22 AAAA 2600:9000:5303:1600::1 A 205.251.197.84 AAAA 2600:9000:5305:5400::1 A 205.251.199.148 AAAA 2600:9000:5307:9400::1 OPT 90 13.284475 192.48.79.30 192.168.0.20 DNS 718 Standard query response 0x7f5c A ns-679.awsdns-20.net NS g-ns-469.awsdns-20.net NS g-ns-790.awsdns-20.net NS g-ns-1364.awsdns-20.net NS g-ns-1940.awsdns-20.net NSEC3 RRSIG NSEC3 RRSIG A 205.251.193.213 AAAA 2600:9000:5301:d500::1 A 205.251.195.22 AAAA 2600:9000:5303:1600::1 A 205.251.197.84 AAAA 2600:9000:5305:5400::1 A 205.251.199.148 AAAA 2600:9000:5307:9400::1 OPT 91 13.284970 192.48.79.30 192.168.0.20 DNS 717 Standard query response 0xee50 AAAA ns-258.awsdns-32.com NS g-ns-33.awsdns-32.com NS g-ns-608.awsdns-32.com NS g-ns-1184.awsdns-32.com NS g-ns-1760.awsdns-32.com NSEC3 RRSIG NSEC3 RRSIG A 205.251.192.33 AAAA 2600:9000:5300:2100::1 A 205.251.194.96 AAAA 2600:9000:5302:6000::1 A 205.251.196.160 AAAA 2600:9000:5304:a000::1 A 205.251.198.224 AAAA 2600:9000:5306:e000::1 OPT 92 13.286668 192.48.79.30 192.168.0.20 DNS 717 Standard query response 0x1ea0 A ns-258.awsdns-32.com NS g-ns-33.awsdns-32.com NS g-ns-608.awsdns-32.com NS g-ns-1184.awsdns-32.com NS g-ns-1760.awsdns-32.com NSEC3 RRSIG NSEC3 RRSIG A 205.251.192.33 AAAA 2600:9000:5300:2100::1 A 205.251.194.96 AAAA 2600:9000:5302:6000::1 A 205.251.196.160 AAAA 2600:9000:5304:a000::1 A 205.251.198.224 AAAA 2600:9000:5306:e000::1 OPT
All DNS responses appear to be valid, and upon inspection, nothing suspicious arises. However, the extent of the recursion is of interest. To our surprise, the recursion was not deep. The resolver initiated the query for mozilla.com and then branched to ns5-65.akam.net, which in turn led to the .net gTLD servers, ultimately terminating at the NS servers hosted on Route53. Interestingly, the resolver also branched out to servers for the .org and .co.uk top-level domains but not further.
Clearly the query is not fully recursed, BIND9 finished half way. But did we indeed reach the maximum recursion depth threshold, which is set at a relatively low default value of 7 for bind 9.18.x?
Bumping max-recursion-depth and max-recursion-queries
Another set of tests, this time lets double the max-recursion-depth and
max-recursion-queries from the default values for this BIND9 version.
options {
...
max-recursion-queries 100; // double of the default
max-recursion-depth 14; // double of the default
...
};
Suprisingly, we still get SERVFAIL response from BIND9, but we got a little
bit more DNS packets captured this time around:
No. Time Source Destination Protocol Length Info 29 1.004741 192.168.0.20 192.36.148.17 DNS 86 Standard query 0x34b0 NS com OPT 31 1.056345 192.168.0.20 192.12.94.30 DNS 94 Standard query 0xb3bf NS mozilla.com OPT 33 1.117810 192.168.0.20 192.36.148.17 DNS 114 Standard query 0x60db A ns4-64.akam.net OPT 34 1.117891 192.168.0.20 192.36.148.17 DNS 114 Standard query 0x0e61 AAAA ns4-64.akam.net OPT 35 1.117928 192.168.0.20 192.36.148.17 DNS 114 Standard query 0x1d50 A ns7-66.akam.net OPT 36 1.117961 192.168.0.20 192.36.148.17 DNS 114 Standard query 0x6c5e AAAA ns7-66.akam.net OPT 37 1.118007 192.168.0.20 192.36.148.17 DNS 114 Standard query 0x2d74 A ns5-65.akam.net OPT 38 1.118041 192.168.0.20 192.36.148.17 DNS 114 Standard query 0xe6fd AAAA ns5-65.akam.net OPT 39 1.118080 192.168.0.20 192.36.148.17 DNS 115 Standard query 0x482d A ns1-240.akam.net OPT 40 1.118173 192.168.0.20 192.36.148.17 DNS 115 Standard query 0xa649 AAAA ns1-240.akam.net OPT 42 1.169006 192.168.0.20 192.12.94.30 DNS 98 Standard query 0x5135 A ns4-64.akam.net OPT 44 1.174467 192.168.0.20 192.12.94.30 DNS 98 Standard query 0x88d4 A ns7-66.akam.net OPT 46 1.175196 192.168.0.20 192.12.94.30 DNS 98 Standard query 0xe81a AAAA ns4-64.akam.net OPT 48 1.178378 192.168.0.20 192.12.94.30 DNS 98 Standard query 0x1470 AAAA ns7-66.akam.net OPT 50 1.179574 192.168.0.20 192.12.94.30 DNS 99 Standard query 0xece7 A ns1-240.akam.net OPT 53 1.181663 192.168.0.20 192.12.94.30 DNS 98 Standard query 0x7f0e A ns5-65.akam.net OPT 54 1.181716 192.168.0.20 192.12.94.30 DNS 98 Standard query 0x1d9e AAAA ns5-65.akam.net OPT 56 1.193920 192.168.0.20 192.12.94.30 DNS 99 Standard query 0x4150 AAAA ns1-240.akam.net OPT 58 1.222576 192.168.0.20 95.101.36.67 DNS 98 Standard query 0x147d A ns4-64.akam.net OPT 60 1.236390 192.168.0.20 95.101.36.67 DNS 98 Standard query 0x59e2 A ns7-66.akam.net OPT 62 1.237278 192.168.0.20 95.101.36.67 DNS 98 Standard query 0x7131 AAAA ns4-64.akam.net OPT 65 1.240108 192.168.0.20 95.101.36.67 DNS 99 Standard query 0xa3d5 A ns1-240.akam.net OPT 67 1.240207 192.168.0.20 95.101.36.67 DNS 98 Standard query 0x7aec AAAA ns7-66.akam.net OPT 69 1.240806 192.168.0.20 95.101.36.67 DNS 98 Standard query 0x4bd1 AAAA ns5-65.akam.net OPT 70 1.241313 192.168.0.20 95.101.36.67 DNS 98 Standard query 0xdfd7 A ns5-65.akam.net OPT 72 1.255973 192.168.0.20 95.101.36.67 DNS 99 Standard query 0xd125 AAAA ns1-240.akam.net OPT 74 1.270226 192.168.0.20 84.53.139.64 DNS 103 Standard query 0x5ad1 NS services.mozilla.com OPT 83 1.319510 192.168.0.20 192.12.94.30 DNS 103 Standard query 0x1a9e A ns-258.awsdns-32.com OPT 84 1.319566 192.168.0.20 192.12.94.30 DNS 103 Standard query 0x5ec2 AAAA ns-258.awsdns-32.com OPT 85 1.319589 192.168.0.20 192.12.94.30 DNS 103 Standard query 0x0386 A ns-679.awsdns-20.net OPT 86 1.319610 192.168.0.20 192.12.94.30 DNS 103 Standard query 0x0f3f AAAA ns-679.awsdns-20.net OPT 87 1.319634 192.168.0.20 192.36.148.17 DNS 120 Standard query 0x512c A ns-1471.awsdns-55.org OPT 88 1.319655 192.168.0.20 192.36.148.17 DNS 120 Standard query 0x7cbd AAAA ns-1471.awsdns-55.org OPT 89 1.319678 192.168.0.20 192.36.148.17 DNS 122 Standard query 0xcf0b A ns-1655.awsdns-14.co.uk OPT 90 1.319700 192.168.0.20 192.36.148.17 DNS 122 Standard query 0x0ec2 AAAA ns-1655.awsdns-14.co.uk OPT 92 1.376503 192.168.0.20 205.251.196.160 DNS 103 Standard query 0x1653 AAAA ns-258.awsdns-32.com OPT 94 1.377143 192.168.0.20 205.251.196.160 DNS 103 Standard query 0x0110 A ns-258.awsdns-32.com OPT 96 1.379651 192.168.0.20 199.249.120.1 DNS 104 Standard query 0xd8df A ns-1471.awsdns-55.org OPT 98 1.380511 192.168.0.20 205.251.197.84 DNS 103 Standard query 0xf39d AAAA ns-679.awsdns-20.net OPT 101 1.383547 192.168.0.20 205.251.197.84 DNS 103 Standard query 0x30b7 A ns-679.awsdns-20.net OPT 102 1.383643 192.168.0.20 199.249.120.1 DNS 104 Standard query 0xa0f2 AAAA ns-1471.awsdns-55.org OPT 105 1.397814 192.168.0.20 156.154.103.3 DNS 106 Standard query 0xffa1 A ns-1655.awsdns-14.co.uk OPT 106 1.397889 192.168.0.20 156.154.103.3 DNS 106 Standard query 0x59e0 AAAA ns-1655.awsdns-14.co.uk OPT 108 1.438260 192.168.0.20 205.251.198.119 DNS 104 Standard query 0x3896 A ns-1471.awsdns-55.org OPT 112 1.444917 192.168.0.20 205.251.198.119 DNS 104 Standard query 0x94e5 AAAA ns-1471.awsdns-55.org OPT 116 1.457610 192.168.0.20 205.251.195.142 DNS 106 Standard query 0xddbe A ns-1655.awsdns-14.co.uk OPT 118 1.460499 192.168.0.20 205.251.195.142 DNS 106 Standard query 0x3d1c AAAA ns-1655.awsdns-14.co.uk OPT
A total of 47 DNS queries being sent, and 47 responses bellow:
No. Time Source Destination Protocol Length Info 30 1.055537 192.36.148.17 192.168.0.20 DNS 1233 Standard query response 0x34b0 NS com NS l.gtld-servers.net NS c.gtld-servers.net NS f.gtld-servers.net NS m.gtld-servers.net NS a.gtld-servers.net NS g.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS d.gtld-servers.net NS k.gtld-servers.net NS e.gtld-servers.net NS b.gtld-servers.net NS j.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 32 1.115563 192.12.94.30 192.168.0.20 DNS 532 Standard query response 0xb3bf NS mozilla.com NS ns1-240.akam.net NS ns7-66.akam.net NS ns5-65.akam.net NS ns4-64.akam.net NSEC3 RRSIG NSEC3 RRSIG OPT 41 1.167555 192.36.148.17 192.168.0.20 DNS 1248 Standard query response 0x60db A ns4-64.akam.net NS d.gtld-servers.net NS b.gtld-servers.net NS e.gtld-servers.net NS a.gtld-servers.net NS c.gtld-servers.net NS j.gtld-servers.net NS f.gtld-servers.net NS h.gtld-servers.net NS i.gtld-servers.net NS g.gtld-servers.net NS k.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 43 1.173520 192.36.148.17 192.168.0.20 DNS 1248 Standard query response 0x1d50 A ns7-66.akam.net NS f.gtld-servers.net NS a.gtld-servers.net NS j.gtld-servers.net NS h.gtld-servers.net NS b.gtld-servers.net NS c.gtld-servers.net NS d.gtld-servers.net NS l.gtld-servers.net NS m.gtld-servers.net NS e.gtld-servers.net NS g.gtld-servers.net NS k.gtld-servers.net NS i.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 45 1.174495 192.36.148.17 192.168.0.20 DNS 1248 Standard query response 0x0e61 AAAA ns4-64.akam.net NS i.gtld-servers.net NS d.gtld-servers.net NS h.gtld-servers.net NS f.gtld-servers.net NS j.gtld-servers.net NS l.gtld-servers.net NS k.gtld-servers.net NS e.gtld-servers.net NS g.gtld-servers.net NS b.gtld-servers.net NS m.gtld-servers.net NS c.gtld-servers.net NS a.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 47 1.177493 192.36.148.17 192.168.0.20 DNS 1248 Standard query response 0x6c5e AAAA ns7-66.akam.net NS b.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS m.gtld-servers.net NS k.gtld-servers.net NS i.gtld-servers.net NS d.gtld-servers.net NS a.gtld-servers.net NS g.gtld-servers.net NS c.gtld-servers.net NS h.gtld-servers.net NS j.gtld-servers.net NS l.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 49 1.178755 192.36.148.17 192.168.0.20 DNS 1249 Standard query response 0x482d A ns1-240.akam.net NS g.gtld-servers.net NS d.gtld-servers.net NS a.gtld-servers.net NS j.gtld-servers.net NS m.gtld-servers.net NS h.gtld-servers.net NS e.gtld-servers.net NS b.gtld-servers.net NS f.gtld-servers.net NS l.gtld-servers.net NS c.gtld-servers.net NS i.gtld-servers.net NS k.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 51 1.180290 192.36.148.17 192.168.0.20 DNS 1248 Standard query response 0x2d74 A ns5-65.akam.net NS l.gtld-servers.net NS d.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS a.gtld-servers.net NS k.gtld-servers.net NS j.gtld-servers.net NS e.gtld-servers.net NS b.gtld-servers.net NS m.gtld-servers.net NS h.gtld-servers.net NS c.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 52 1.180846 192.36.148.17 192.168.0.20 DNS 1248 Standard query response 0xe6fd AAAA ns5-65.akam.net NS l.gtld-servers.net NS h.gtld-servers.net NS e.gtld-servers.net NS f.gtld-servers.net NS c.gtld-servers.net NS a.gtld-servers.net NS m.gtld-servers.net NS b.gtld-servers.net NS k.gtld-servers.net NS d.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS g.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 55 1.193013 192.36.148.17 192.168.0.20 DNS 1249 Standard query response 0xa649 AAAA ns1-240.akam.net NS k.gtld-servers.net NS b.gtld-servers.net NS h.gtld-servers.net NS c.gtld-servers.net NS a.gtld-servers.net NS f.gtld-servers.net NS d.gtld-servers.net NS g.gtld-servers.net NS m.gtld-servers.net NS j.gtld-servers.net NS e.gtld-servers.net NS l.gtld-servers.net NS i.gtld-servers.net DS RRSIG A 192.55.83.30 A 192.41.162.30 A 192.52.178.30 A 192.48.79.30 A 192.43.172.30 A 192.54.112.30 A 192.42.93.30 A 192.35.51.30 A 192.12.94.30 A 192.31.80.30 A 192.26.92.30 A 192.33.14.30 A 192.5.6.30 AAAA 2001:501:b1f9::30 AAAA 2001:500:d937::30 AAAA 2001:503:d2d::30 AAAA 2001:502:7094::30 AAAA 2001:503:39c1::30 AAAA 2001:502:8cc::30 AAAA 2001:503:eea3::30 AAAA 2001:503:d414::30 AAAA 2001:502:1ca1::30 AAAA 2001:500:856e::30 AAAA 2001:503:83eb::30 AAAA 2001:503:231d::2:30 AAAA 2001:503:a83e::2:30 OPT 57 1.221551 192.12.94.30 192.168.0.20 DNS 960 Standard query response 0x5135 A ns4-64.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 59 1.235556 192.12.94.30 192.168.0.20 DNS 960 Standard query response 0x88d4 A ns7-66.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 61 1.236653 192.12.94.30 192.168.0.20 DNS 960 Standard query response 0xe81a AAAA ns4-64.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 63 1.238764 192.12.94.30 192.168.0.20 DNS 961 Standard query response 0xece7 A ns1-240.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 64 1.239085 192.12.94.30 192.168.0.20 DNS 960 Standard query response 0x1470 AAAA ns7-66.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 66 1.240156 192.12.94.30 192.168.0.20 DNS 960 Standard query response 0x1d9e AAAA ns5-65.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 68 1.240742 192.12.94.30 192.168.0.20 DNS 960 Standard query response 0x7f0e A ns5-65.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 71 1.255130 192.12.94.30 192.168.0.20 DNS 961 Standard query response 0x4150 AAAA ns1-240.akam.net NS a18-67.akam.net NS a28-67.akam.net NS a22-67.akam.net NS a11-67.akam.net NS a1-67.akam.net NS a12-67.akam.net NS a4-67.akam.net NS a6-67.akam.net NSEC3 RRSIG NSEC3 RRSIG AAAA 2600:1480:4800::43 A 95.101.36.67 AAAA 2600:1480:d800::43 A 95.100.173.67 A 23.211.61.67 AAAA 2600:1480:7800::43 AAAA 2600:1480:1::43 A 84.53.139.67 A 193.108.91.67 AAAA 2600:1401:2::43 A 184.26.160.67 AAAA 2600:1480:f000::43 AAAA 2600:1480:9000::43 A 72.246.46.67 A 23.211.133.67 AAAA 2600:1401:1::43 OPT 73 1.267532 95.101.36.67 192.168.0.20 DNS 102 Standard query response 0x147d A ns4-64.akam.net A 84.53.139.64 OPT 75 1.285554 95.101.36.67 192.168.0.20 DNS 102 Standard query response 0x59e2 A ns7-66.akam.net A 96.7.49.66 OPT 76 1.288645 95.101.36.67 192.168.0.20 DNS 152 Standard query response 0x7131 AAAA ns4-64.akam.net SOA internal.akam.net OPT 77 1.289208 95.101.36.67 192.168.0.20 DNS 103 Standard query response 0xa3d5 A ns1-240.akam.net A 193.108.91.240 OPT 78 1.293780 95.101.36.67 192.168.0.20 DNS 152 Standard query response 0x7aec AAAA ns7-66.akam.net SOA internal.akam.net OPT 79 1.294150 95.101.36.67 192.168.0.20 DNS 102 Standard query response 0xdfd7 A ns5-65.akam.net A 184.85.248.65 OPT 80 1.294712 95.101.36.67 192.168.0.20 DNS 152 Standard query response 0x4bd1 AAAA ns5-65.akam.net SOA internal.akam.net OPT 81 1.305453 95.101.36.67 192.168.0.20 DNS 115 Standard query response 0xd125 AAAA ns1-240.akam.net AAAA 2600:1401:2::f0 OPT 82 1.317734 84.53.139.64 192.168.0.20 DNS 228 Standard query response 0x5ad1 NS services.mozilla.com NS ns-679.awsdns-20.net NS ns-1471.awsdns-55.org NS ns-1655.awsdns-14.co.uk NS ns-258.awsdns-32.com OPT 91 1.375649 192.12.94.30 192.168.0.20 DNS 717 Standard query response 0x5ec2 AAAA ns-258.awsdns-32.com NS g-ns-33.awsdns-32.com NS g-ns-608.awsdns-32.com NS g-ns-1184.awsdns-32.com NS g-ns-1760.awsdns-32.com NSEC3 RRSIG NSEC3 RRSIG A 205.251.192.33 AAAA 2600:9000:5300:2100::1 A 205.251.194.96 AAAA 2600:9000:5302:6000::1 A 205.251.196.160 AAAA 2600:9000:5304:a000::1 A 205.251.198.224 AAAA 2600:9000:5306:e000::1 OPT 93 1.376659 192.12.94.30 192.168.0.20 DNS 717 Standard query response 0x1a9e A ns-258.awsdns-32.com NS g-ns-33.awsdns-32.com NS g-ns-608.awsdns-32.com NS g-ns-1184.awsdns-32.com NS g-ns-1760.awsdns-32.com NSEC3 RRSIG NSEC3 RRSIG A 205.251.192.33 AAAA 2600:9000:5300:2100::1 A 205.251.194.96 AAAA 2600:9000:5302:6000::1 A 205.251.196.160 AAAA 2600:9000:5304:a000::1 A 205.251.198.224 AAAA 2600:9000:5306:e000::1 OPT 95 1.378713 192.36.148.17 192.168.0.20 DNS 863 Standard query response 0x512c A ns-1471.awsdns-55.org NS b0.org.afilias-nst.org NS c0.org.afilias-nst.info NS a0.org.afilias-nst.info NS d0.org.afilias-nst.org NS a2.org.afilias-nst.info NS b2.org.afilias-nst.org DS RRSIG A 199.19.57.1 A 199.19.53.1 A 199.249.120.1 A 199.19.54.1 A 199.249.112.1 A 199.19.56.1 AAAA 2001:500:f::1 AAAA 2001:500:b::1 AAAA 2001:500:48::1 AAAA 2001:500:c::1 AAAA 2001:500:40::1 AAAA 2001:500:e::1 OPT 97 1.379840 192.12.94.30 192.168.0.20 DNS 718 Standard query response 0x0f3f AAAA ns-679.awsdns-20.net NS g-ns-469.awsdns-20.net NS g-ns-790.awsdns-20.net NS g-ns-1364.awsdns-20.net NS g-ns-1940.awsdns-20.net NSEC3 RRSIG NSEC3 RRSIG A 205.251.193.213 AAAA 2600:9000:5301:d500::1 A 205.251.195.22 AAAA 2600:9000:5303:1600::1 A 205.251.197.84 AAAA 2600:9000:5305:5400::1 A 205.251.199.148 AAAA 2600:9000:5307:9400::1 OPT 99 1.382432 192.12.94.30 192.168.0.20 DNS 718 Standard query response 0x0386 A ns-679.awsdns-20.net NS g-ns-469.awsdns-20.net NS g-ns-790.awsdns-20.net NS g-ns-1364.awsdns-20.net NS g-ns-1940.awsdns-20.net NSEC3 RRSIG NSEC3 RRSIG A 205.251.193.213 AAAA 2600:9000:5301:d500::1 A 205.251.195.22 AAAA 2600:9000:5303:1600::1 A 205.251.197.84 AAAA 2600:9000:5305:5400::1 A 205.251.199.148 AAAA 2600:9000:5307:9400::1 OPT 100 1.382745 192.36.148.17 192.168.0.20 DNS 863 Standard query response 0x7cbd AAAA ns-1471.awsdns-55.org NS b0.org.afilias-nst.org NS d0.org.afilias-nst.org NS a0.org.afilias-nst.info NS a2.org.afilias-nst.info NS c0.org.afilias-nst.info NS b2.org.afilias-nst.org DS RRSIG A 199.19.57.1 A 199.19.53.1 A 199.249.120.1 A 199.19.54.1 A 199.249.112.1 A 199.19.56.1 AAAA 2001:500:f::1 AAAA 2001:500:b::1 AAAA 2001:500:48::1 AAAA 2001:500:c::1 AAAA 2001:500:40::1 AAAA 2001:500:e::1 OPT 103 1.396412 192.36.148.17 192.168.0.20 DNS 965 Standard query response 0xcf0b A ns-1655.awsdns-14.co.uk NS dns3.nic.uk NS dns4.nic.uk NS nsa.nic.uk NS nsd.nic.uk NS nsc.nic.uk NS dns1.nic.uk NS dns2.nic.uk NS nsb.nic.uk DS RRSIG A 43.230.48.1 A 213.248.220.1 A 103.49.80.1 A 213.248.216.1 A 156.154.103.3 A 156.154.102.3 A 156.154.101.3 A 156.154.100.3 AAAA 2401:fd80:404::1 AAAA 2a01:618:404::1 AAAA 2401:fd80:400::1 AAAA 2a01:618:400::1 AAAA 2610:a1:1010::3 AAAA 2610:a1:1009::3 AAAA 2001:502:2eda::3 AAAA 2001:502:ad09::3 OPT 104 1.397215 192.36.148.17 192.168.0.20 DNS 965 Standard query response 0x0ec2 AAAA ns-1655.awsdns-14.co.uk NS dns3.nic.uk NS nsb.nic.uk NS nsa.nic.uk NS dns4.nic.uk NS nsc.nic.uk NS dns1.nic.uk NS dns2.nic.uk NS nsd.nic.uk DS RRSIG A 43.230.48.1 A 213.248.220.1 A 103.49.80.1 A 213.248.216.1 A 156.154.103.3 A 156.154.102.3 A 156.154.101.3 A 156.154.100.3 AAAA 2401:fd80:404::1 AAAA 2a01:618:404::1 AAAA 2401:fd80:400::1 AAAA 2a01:618:400::1 AAAA 2610:a1:1010::3 AAAA 2610:a1:1009::3 AAAA 2001:502:2eda::3 AAAA 2001:502:ad09::3 OPT 107 1.437521 199.249.120.1 192.168.0.20 DNS 863 Standard query response 0xd8df A ns-1471.awsdns-55.org NS g-ns-183.awsdns-55.org NS g-ns-761.awsdns-55.org NS g-ns-1082.awsdns-55.org NS g-ns-1655.awsdns-55.org NSEC3 NSEC3 RRSIG RRSIG A 205.251.192.183 AAAA 2600:9000:5300:b700::1 A 205.251.194.249 AAAA 2600:9000:5302:f900::1 A 205.251.196.58 AAAA 2600:9000:5304:3a00::1 A 205.251.198.119 AAAA 2600:9000:5306:7700::1 OPT 109 1.439324 205.251.197.84 192.168.0.20 DNS 389 Standard query response 0xf39d AAAA ns-679.awsdns-20.net AAAA 2600:9000:5302:a700::1 NS g-ns-1364.awsdns-20.net NS g-ns-1940.awsdns-20.net NS g-ns-469.awsdns-20.net NS g-ns-790.awsdns-20.net A 205.251.197.84 AAAA 2600:9000:5305:5400::1 A 205.251.199.148 AAAA 2600:9000:5307:9400::1 A 205.251.193.213 AAAA 2600:9000:5301:d500::1 A 205.251.195.22 AAAA 2600:9000:5303:1600::1 OPT 110 1.442687 199.249.120.1 192.168.0.20 DNS 863 Standard query response 0xa0f2 AAAA ns-1471.awsdns-55.org NS g-ns-1082.awsdns-55.org NS g-ns-761.awsdns-55.org NS g-ns-183.awsdns-55.org NS g-ns-1655.awsdns-55.org NSEC3 RRSIG NSEC3 RRSIG A 205.251.192.183 A 205.251.194.249 A 205.251.196.58 A 205.251.198.119 AAAA 2600:9000:5300:b700::1 AAAA 2600:9000:5302:f900::1 AAAA 2600:9000:5304:3a00::1 AAAA 2600:9000:5306:7700::1 OPT 111 1.443829 205.251.197.84 192.168.0.20 DNS 377 Standard query response 0x30b7 A ns-679.awsdns-20.net A 205.251.194.167 NS g-ns-1364.awsdns-20.net NS g-ns-1940.awsdns-20.net NS g-ns-469.awsdns-20.net NS g-ns-790.awsdns-20.net A 205.251.197.84 AAAA 2600:9000:5305:5400::1 A 205.251.199.148 AAAA 2600:9000:5307:9400::1 A 205.251.193.213 AAAA 2600:9000:5301:d500::1 A 205.251.195.22 AAAA 2600:9000:5303:1600::1 OPT 113 1.445234 205.251.196.160 192.168.0.20 DNS 388 Standard query response 0x1653 AAAA ns-258.awsdns-32.com AAAA 2600:9000:5301:200::1 NS g-ns-1184.awsdns-32.com NS g-ns-1760.awsdns-32.com NS g-ns-33.awsdns-32.com NS g-ns-608.awsdns-32.com A 205.251.196.160 AAAA 2600:9000:5304:a000::1 A 205.251.198.224 AAAA 2600:9000:5306:e000::1 A 205.251.192.33 AAAA 2600:9000:5300:2100::1 A 205.251.194.96 AAAA 2600:9000:5302:6000::1 OPT 114 1.446525 205.251.196.160 192.168.0.20 DNS 376 Standard query response 0x0110 A ns-258.awsdns-32.com A 205.251.193.2 NS g-ns-1184.awsdns-32.com NS g-ns-1760.awsdns-32.com NS g-ns-33.awsdns-32.com NS g-ns-608.awsdns-32.com A 205.251.196.160 AAAA 2600:9000:5304:a000::1 A 205.251.198.224 AAAA 2600:9000:5306:e000::1 A 205.251.192.33 AAAA 2600:9000:5300:2100::1 A 205.251.194.96 AAAA 2600:9000:5302:6000::1 OPT 115 1.453512 156.154.103.3 192.168.0.20 DNS 920 Standard query response 0xffa1 A ns-1655.awsdns-14.co.uk NS g-ns-1810.awsdns-14.co.uk NS g-ns-910.awsdns-14.co.uk NS g-ns-334.awsdns-14.co.uk NS g-ns-1489.awsdns-14.co.uk NSEC3 RRSIG NSEC3 RRSIG A 205.251.199.18 A 205.251.197.209 A 205.251.195.142 A 205.251.193.78 AAAA 2600:9000:5307:1200::1 AAAA 2600:9000:5305:d100::1 AAAA 2600:9000:5303:8e00::1 AAAA 2600:9000:5301:4e00::1 OPT 117 1.459832 156.154.103.3 192.168.0.20 DNS 920 Standard query response 0x59e0 AAAA ns-1655.awsdns-14.co.uk NS g-ns-910.awsdns-14.co.uk NS g-ns-1810.awsdns-14.co.uk NS g-ns-334.awsdns-14.co.uk NS g-ns-1489.awsdns-14.co.uk NSEC3 RRSIG NSEC3 RRSIG A 205.251.199.18 A 205.251.197.209 A 205.251.195.142 A 205.251.193.78 AAAA 2600:9000:5307:1200::1 AAAA 2600:9000:5305:d100::1 AAAA 2600:9000:5303:8e00::1 AAAA 2600:9000:5301:4e00::1 OPT 119 1.469885 205.251.198.119 192.168.0.20 DNS 378 Standard query response 0x3896 A ns-1471.awsdns-55.org A 205.251.197.191 NS g-ns-1082.awsdns-55.org NS g-ns-1655.awsdns-55.org NS g-ns-183.awsdns-55.org NS g-ns-761.awsdns-55.org A 205.251.196.58 AAAA 2600:9000:5304:3a00::1 A 205.251.198.119 AAAA 2600:9000:5306:7700::1 A 205.251.192.183 AAAA 2600:9000:5300:b700::1 A 205.251.194.249 AAAA 2600:9000:5302:f900::1 OPT 120 1.475914 205.251.198.119 192.168.0.20 DNS 390 Standard query response 0x94e5 AAAA ns-1471.awsdns-55.org AAAA 2600:9000:5305:bf00::1 NS g-ns-1082.awsdns-55.org NS g-ns-1655.awsdns-55.org NS g-ns-183.awsdns-55.org NS g-ns-761.awsdns-55.org A 205.251.196.58 AAAA 2600:9000:5304:3a00::1 A 205.251.198.119 AAAA 2600:9000:5306:7700::1 A 205.251.192.183 AAAA 2600:9000:5300:b700::1 A 205.251.194.249 AAAA 2600:9000:5302:f900::1 OPT 121 1.507745 205.251.195.142 192.168.0.20 DNS 392 Standard query response 0x3d1c AAAA ns-1655.awsdns-14.co.uk AAAA 2600:9000:5306:7700::1 NS g-ns-1489.awsdns-14.co.uk NS g-ns-1810.awsdns-14.co.uk NS g-ns-334.awsdns-14.co.uk NS g-ns-910.awsdns-14.co.uk A 205.251.197.209 AAAA 2600:9000:5305:d100::1 A 205.251.199.18 AAAA 2600:9000:5307:1200::1 A 205.251.193.78 AAAA 2600:9000:5301:4e00::1 A 205.251.195.142 AAAA 2600:9000:5303:8e00::1 OPT 122 1.508795 205.251.195.142 192.168.0.20 DNS 380 Standard query response 0xddbe A ns-1655.awsdns-14.co.uk A 205.251.198.119 NS g-ns-1489.awsdns-14.co.uk NS g-ns-1810.awsdns-14.co.uk NS g-ns-334.awsdns-14.co.uk NS g-ns-910.awsdns-14.co.uk A 205.251.197.209 AAAA 2600:9000:5305:d100::1 A 205.251.199.18 AAAA 2600:9000:5307:1200::1 A 205.251.193.78 AAAA 2600:9000:5301:4e00::1 A 205.251.195.142 AAAA 2600:9000:5303:8e00::1 OPT
We do see an improvement of sorts, albeit we are still far from the
max-recursion-queries of 100 and max-recursion-depth of 14. And while we
could increase those limit further and further to eventually get it working,
there must be something going wrong with the algorithm.
So lets take a step back, and run named in ipv4-only mode with default limits
of max-recursion-depth 7; and max-recursion-queries 50;
Taking a step back
Our next test was to get back to the default BIND9 recursion limits, but this time, we
will run named -4 in order to disable the AF_INET6 address family. And here
are the results:
root@ubu2204:/etc/bind# echo -n '' >/var/log/named/query.log root@ubu2204:/etc/bind# systemctl restart named root@ubu2204:/etc/bind# dig @127.0.0.1 push.services.mozilla.com A ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 push.services.mozilla.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45134 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 171a0ef4cf3b95f00100000067e982fa0bd4430b074272c8 (good) ;; QUESTION SECTION: ;push.services.mozilla.com. IN A ;; ANSWER SECTION: push.services.mozilla.com. 60 IN A 34.107.243.93 ;; Query time: 731 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Mar 30 17:44:26 UTC 2025 ;; MSG SIZE rcvd: 98 root@ubu2204:/etc/bind# cat /var/log/named/query.log 30-Mar-2025 17:44:20.455 resolver: debug 1: fetch: ./DNSKEY 30-Mar-2025 17:44:20.459 resolver: debug 1: fetch: ./NS 30-Mar-2025 17:44:20.603 resolver: debug 1: fetch: ./DNSKEY 30-Mar-2025 17:44:20.743 resolver: debug 1: resolver priming query complete: success 30-Mar-2025 17:44:25.399 queries: info: client @0x7f49701bb698 127.0.0.1#56857 (push.services.mozilla.com): query: push.services.mozilla.com IN A +E(0)K (127.0.0.1) 30-Mar-2025 17:44:25.399 resolver: debug 1: fetch: push.services.mozilla.com/A 30-Mar-2025 17:44:25.399 resolver: debug 1: fetch: ./NS 30-Mar-2025 17:44:25.399 resolver: debug 1: fetch: com/NS 30-Mar-2025 17:44:25.443 resolver: debug 1: fetch: mozilla.com/NS 30-Mar-2025 17:44:25.443 resolver: debug 1: resolver priming query complete: success 30-Mar-2025 17:44:25.499 resolver: debug 1: fetch: services.mozilla.com/NS 30-Mar-2025 17:44:25.499 resolver: debug 1: fetch: ns4-64.akam.net/A 30-Mar-2025 17:44:25.499 resolver: debug 1: fetch: ns5-65.akam.net/A 30-Mar-2025 17:44:25.499 resolver: debug 1: fetch: ns7-66.akam.net/A 30-Mar-2025 17:44:25.499 resolver: debug 1: fetch: ns1-240.akam.net/A 30-Mar-2025 17:44:25.855 resolver: debug 1: fetch: ns-258.awsdns-32.com/A 30-Mar-2025 17:44:25.855 resolver: debug 1: fetch: ns-679.awsdns-20.net/A 30-Mar-2025 17:44:25.855 resolver: debug 1: fetch: ns-1471.awsdns-55.org/A 30-Mar-2025 17:44:25.855 resolver: debug 1: fetch: ns-1655.awsdns-14.co.uk/A 30-Mar-2025 17:44:26.019 resolver: debug 1: fetch: mozilla.com/DS 30-Mar-2025 17:44:26.075 resolver: debug 1: fetch: com/DNSKEY
We have finally received a response on the first attempt, but we must hold off for a moment, as this doesn't quite add up.
When running in standard dual-stack mode with double the recursion limits, we experienced failure, yet we are now receiving a correct response when operating solely in IPv4 mode with empty cache on first try. We need to delve further.
Theoretical DNS and Networking
Let's engage in a theoretical exercise regarding DNS resolution. We do have two independent networks – IPv4 network and IPv6 network.
The question is simple: Should you ever operate your recursive resolver on only one network? Specifically, should it be limited to the IPv4 or IPv6 network?
The general answer for the year 2025 is: NO, you shouldn't.
The underlying rationale is simple. If you run a recursive resolver solely on IPv6, but encounter domains whose NS are only accessible via IPv4, resolution will fail. Conversely, if your recursive resolver is set up to operate exclusively on IPv4, and you attempt to resolve domains whose NS servers are only reachable over IPv6, resolution will fail.
However, there's a catch. What would happen if you configure BIND 9.18 as a recursive resolver correctly in a dual-stack network, with proper connectivity to both IPv4 and IPv6? In such circumstances, everything would function normally – until the point where an isolated or extended routing outage of either IPv4 or IPv6 occurs for several hours, leaving you temporarily reliant on only one network family.
When this situation arises, keeping default recursive limits may cause a major
pain. You are essentially forced to triple limits for max-recursion-queries
during a network family outage. Failure to do so may cause the resolver to
randomly return a SERVFAIL response for domains that possess NS servers on both
networks, especially so if cache is empty or expired.
Did anybody complain about it already?
There are some reports on the Slackware forum, dated 10th of August 2024: bind-lots-of-query-failures-after-upgrading-to-9-18
The general consensus was that max-recursion-depht 7; was not the culprit, but
the total query limit of 50 was too low. So, what would be the settings for
running bind9 in dual-stack mode, but having only IPv4 routing operational?
During my experiments, the values that allowed us to resolve this FQDN were:
max-recursion-queries 128;
max-recursion-depth 7;
During the testing, tcpdump captured 50 queries and 50 responses and correctly validated DNSSEC. However, something doesn't feel quite right. 50 queries captured on the wire is far from limit of 100 where it failed previously, while 128 was just about right.
The algorithm?
Recently, an excellent article by the chief scientist at APNIC addressed how to deploy Authoritative name servers in the dual-stack world of both IPv4 and IPv6. Focusing on how different resolvers (in general) and BIND9 resolver (in particular) query servers based on network address family when running dual-stacked, the article provides valuable insights:
According to the study linked above, when BIND9 is acting as a resolver, it should send queries to both IPv4 and IPv6 simultaneously. For domains with fewer than five NS (name server) records, BIND should send slightly more queries to IPv4 than IPv6. Conversely, for domains with five or more NS records, the opposite occurs.
However, it's essential to note that the article does not focus on the BIND9
resolver algorithm per se but rather presents conclusions based on the analysis
of actual queries on the wire in an ideal scenario. By ideal scenario, I mean
having a fully working dual-stack connectivity. Consequently, it doesn't address
any runtime settings that could influence the results, such as the v6-bias
option for BIND.
In our scenario, because of no routing entry to the IPv6 network address space,
we see zero DNS queries on the wire using IPv6 at all. Additionally,
we instruct bind to blackhole the entire ::0/0 IPv6 space.
Lets take a quick look at the resolver.c from the bind-9.18 branch:
resolver.c
Quickly going thru the code and skimming over every DNS_R_SERVFAIL, it appears that
exceeding max-recursion-queries and max-query-count should trigger a nice
message in the logs at multiple places, which did not happened during our testing.
result = isc_counter_increment(fctx->qc);
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
"exceeded max queries resolving '%s' "
"(max-recursion-queries, querycount=%u)",
fctx->info, isc_counter_used(fctx->qc));
fctx_done_detach(&fctx, DNS_R_SERVFAIL);
return;
}
if (fctx->gqc != NULL) {
result = isc_counter_increment(fctx->gqc);
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
"exceeded global max queries resolving "
"'%s' (max-query-count, querycount=%u)",
fctx->info, isc_counter_used(fctx->gqc));
fctx_done_detach(&fctx, DNS_R_SERVFAIL);
return;
}
}
While the codebase presents challenges beyond my current understanding, it
appears that unreachable IPv6 addresses can paradoxically accelerate counter
increments, regardless whether or not we implement a complete blackhole of the
entire IPv6 address space within the named.config file. The issue suggests
that if you operate dual-stacked network and encounter routing problems on one
network family, debugging and managing default limits become exceedingly
difficult due to inadequate logging, even in debug mode. Clearly heavily raising
max-recursion-queries fix the situation, albeit if we reach the limit, it
should be properly logged. That is not what we could observe.
What would be a better approach for BIND9 developers is to maintain success
and total counters per network family, so one pair of counters for IPv4
address family, and one pair of counters for IPv6 address family, and treat any
valid DNS response packet as an event to increase a success counter. But how to
handle this limit, when having two pair of counters? Here is our proposal:
- The purpose of
successcounter per address family per resolution context would be to determine if BIND is capable of receiving at least one successfull answer. Any DNS packet should be considered as valid answer. - When both
totalcounters reach themax-recursion-querieslimit, we can safely log it and return SERVFAIL. This is the point we have reached the limit. - When one of
totalcounters reach themax-recursion-queries, there are two options:successcounter for this address family is zero - in this case, we stop any further queries only for this address family on this recursion context, but we continue with the other remainig address family,successcounter for this address family is higher than zero - we can assume the network is working because we received at least one valid DNS response, so we can safely say that we have reached themax-recursion-querieslimit, we log and SERVFAIL.
- In any case,
blackhole ... cidrorserver ... bogus yes;blocks should not increase thetotalcounter. Those should not even be tried in the algorithm to begin with. They should be treated as excluded entirely from the recursion algorithm. - If there are no valid IPv4 or IPv6 address to continue, we should log it and SERVFAIL.
This approach would ensure that even if you run it on dual-stack network, and
you encounter a temporary network outage, or you start with an IPv4 only network,
the algorithm would work as-if it were ran with bind -4, or bind -6, but
would auto-recover once your routing get back on both networks.
If you decide to run BIND9 exclusively on IPv4, do not run it as a fully recursive resolver with default settings, but rather run it as a DNS forwarder to a recursive resolver capable of dual stacking instead.
You can also execute BIND solely in IPv4 mode using the command line option
named -4, though I strongly advocate for a more comprehensive approach: all
resolvers or authoritative servers on the public internet by 2025 should embrace
dual stacking.
How about bind 9.20.7
We have examined Ubuntu versions 22.04 and 24.04, both utilizing BIND 9.18 (9.18.30-0ubuntu0.24.04.2). In light of these findings, we decided to investigate if the issue in question has been addressed in the newer BIND 9.20.7. To facilitate testing, we quickly compiled the latest BIND 9.20.7 code to explore this specific use case.
$ ./configure --prefix=/usr/local/bind-9.20 --disable-doh
Configuration summary:
-------------------------------------------------------------------------------
Optional features enabled:
Memory allocator: jemalloc
DNSSEC validation active by default (--enable-auto-validation)
-------------------------------------------------------------------------------
Library versions:
OpenSSL: 3.0.2
libuv: 1.43.0
Userspace-RCU: 0.13.1
jemalloc: 5.2.1_0
-------------------------------------------------------------------------------
Features disabled or unavailable on this platform:
Allow 'dnstap' packet logging (--enable-dnstap)
GeoIP2 access control (--enable-geoip)
GSS-API (--with-gssapi)
DNS Response Policy Service interface (--enable-dnsrps)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
FIPS mode in OpenSSL (--enable-fips-mode)
Very verbose query trace logging (--enable-querytrace)
Single-query trace logging (--enable-singletrace)
CMocka Unit Testing Framework (--with-cmocka)
XML statistics (--with-libxml2)
JSON statistics (--with-json-c)
HTTP zlib compression (--with-zlib)
LMDB database to store configuration for 'addzone' zones (--with-lmdb)
IDN support (--with-libidn2)
-------------------------------------------------------------------------------
Configured paths:
prefix: /usr/local/bind-9.20
sysconfdir: ${prefix}/etc
localstatedir: ${prefix}/var
-------------------------------------------------------------------------------
Compiler: gcc
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Unfortunatelly, the exact same behaviour is encountered with the newest BIND.
root@ubu2204:/etc/bind# systemctl stop named.service
root@ubu2204:/etc/bind# /usr/local/bind-9.20/sbin/named -C | grep 'max-recursion-\|max-quer'
max-recursion-depth 7;
max-recursion-queries 50;
max-query-count 200;
max-query-restarts 11;
root@ubu2204:/etc/bind# cat named.conf.options
... output trimmed ...
options {
directory "/var/cache/bind";
allow-query { any; };
allow-recursion { dcnet; };
recursion yes; // this is the default
dnssec-validation auto;
listen-on-v6 { any; };
max-recursion-queries 50;
max-recursion-depth 7;
};
... output trimmed
root@ubu2204:/etc/bind# /usr/local/bind-9.20/sbin/named -c /etc/bind/named.conf -u bind -f -v
BIND 9.20.7 (Stable Release) <id:305df58>
root@ubu2204:/etc/bind# /usr/local/bind-9.20/sbin/named -c /etc/bind/named.conf -u bind -f
From another terminal:
root@ubu2204:/etc/bind# dig @127.0.0.1 push.services.mozilla.com A ; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 push.services.mozilla.com A ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49092 ... output trimmed root@ubu2204:/etc/bind# dig +short @127.0.0.1 -t TXT -c CH version.bind "9.20.7"
How it all ended
Ultimately, the design has been altered and the initial BIND requirement were
dropped. We decided to employ Unbound as a recursive resolver on the edge. In
this setup, BIND9 was still used, but only to serve internal authoritative zones
while also functioning as a forwarder directing traffic towards a cluster of
Unbound servers. The deployment of Unbound adhered strictly to RFC 8806
guidelines and additionally, incorporated QNAME minimisation, proving to be
success with no need for subsequent adjustments or regrets.
Personally, I found it funny that BIND9 yet again demonstrated its questionable reliability and resilience, living up to its poor reputation, after 25 years of development. The additional day spent investigating what should have been a simple two hour task compels us to thoroughly document this experience.