The caching name server with bind returns SERVFAIL for a query to some specific domain names only in Red Hat Enterprise Linux 7
Environment
Red Hat Enterprise Linux 7
Issue
- We have a caching name server with
bindwhich queries to external DNS server on behalf of the clients and caches it. - The caching name server returns SERVFAIL error only for some specific domain names.
- The authoritative name server for all of those domain names are same.
- What causes the SERVFAIL error?
Resolution
Basically, it's needed to fix the wrong configuration in the external name server.
Otherwise, using Unbound as a caching name server may help to avoid the problem, which follows CNAME in NS records, though it's not needed since it violates the RFC.
Root Cause
This may happen with some wrong configuration in the authoritative name server.
The following are some wrong configuration we saw for those domain names.
1) The query result for NS record of those domain names from authoritative name server doesn't match that from the parent of the authoritative name server, so those are inconsistent.
2) The authoritative name server returned the IP address to a query for NS record of those domain names. RFC 1035 section 3.3.11 says that the NS record is a domain name. So the record is broken.
3) CNAME is used in NS records for the zone. RFC 1912 section 2.4 specifically discourages the use of CNAMEs in NS records for the zone:
Having NS records pointing to a CNAME is bad and may conflict badly
with current BIND servers. In fact, current BIND implementations
will ignore such records, possibly leading to a lame delegation.
There is a certain amount of security checking done in BIND to
prevent spoofing DNS NS records. Also, older BIND servers reportedly
will get caught in an infinite query loop trying to figure out the
address for the aliased nameserver, causing a continuous stream of
DNS requests to be sent.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments