[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

bind9 and dns forward

Hello,

I have a Debian machine at my home network performing several functions. Two of those are dns server for my network at home and a VPN server to the company network.
To facilitate my use of the VPN to the company network I am also forwarding all dns requests tot the company domain to the internal dns servers.
A few months ago we had a change in our external dns provider and they enabled secure dns.

After that I had some (security?) problems getting bind to forward my internal dns servers. My guess was that somehow it would see the security for the domain at the .nl level and it would be different from the internal response at the tio.nl domain. My resolution at that time was simply to rely exclusively on the company dns servers and just use the internal ip number for the few devices I needed to access at home.
However, strangely enough when I went back a while later to test what was the real problem I could not reproduce it and I could once again resolve the normal dns requests against the internet dns servers and also forward the requests for the company servers to the company dns servers.

Today I did an upgrade from Buster to Bullseye and the problem is back. :-( Can someone help me analyze the errors and point to a way to find out what is really wrong?
We use a different dns server(s) and zonefile for the external dns environment from what we use internally. Company dns is Windows server 2016 incase that is relevant.

Earlier in the day I had syslog lines like:
-----<Quote>----------------------
Apr 28 03:18:14 linbobo named[546]: DNS format error from 13.107.206.240#53 resolving outlook.ha.office365.com/TYPE65 for client 172.16.17.83#61019: Name trafficmanager.net (SOA) not subdomain of zone ha.office365.com -- invalid response
Apr 28 03:18:15 linbobo named[546]: FORMERR resolving 'outlook.ha.office365.com/TYPE65/IN': 13.107.206.240#53
-----<End Quote>----------------------
Which seems to be an error at Microsoft.

And regarding my connection to the company dns:
-----<Quote>----------------------
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.128.40#53 resolving staf.tio.nl/AAAA for client 172.16.17.11#65033: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving 'staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.208.10#53 resolving staf.tio.nl/AAAA for client 172.16.17.11#65033: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving 'staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.128.40#53 resolving om1stafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53605: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving 'om1stafdc-04.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:07:53 linbobo named[546]: DNS format error from 172.16.208.10#53 resolving om1stafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53605: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:53 linbobo named[546]: FORMERR resolving 'om1stafdc-04.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 12:07:54 linbobo named[546]: DNS format error from 172.16.128.40#53 resolving hglstafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53673: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:54 linbobo named[546]: FORMERR resolving 'hglstafdc-04.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:07:54 linbobo named[546]: DNS format error from 172.16.208.10#53 resolving hglstafdc-04.staf.tio.nl/AAAA for client 172.16.17.11#53673: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:07:54 linbobo named[546]: FORMERR resolving 'hglstafdc-04.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 12:08:06 linbobo named[546]: DNS format error from 172.16.128.40#53 resolving vijl.staf.tio.nl/AAAA for client 172.16.17.11#52409: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 12:08:06 linbobo named[546]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 12:08:06 linbobo named[546]: DNS format error from 172.16.208.10#53 resolving vijl.staf.tio.nl/AAAA for client 172.16.17.11#52409: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
-----<End Quote>----------------------
I would like to know which error the Windows dns servers provides and what I need to do to get rid of these errors. However, in the end I DID get my response it seems as my PC was able to connect to the servers via the dns name.

After the upgrade I have syslog lines like:
-----<Quote>----------------------
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving 'AMSSTAFDC-05.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:25:09 linbobo named[574]: DNS format error from 172.16.208.10#53 resolving EINSTAFDC-04.staf.tio.nl/AAAA for 172.16.17.11#50761: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving 'EINSTAFDC-04.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:25:09 linbobo named[574]: DNS format error from 172.16.128.40#53 resolving vijl.staf.tio.nl/AAAA for 172.16.17.11#58764: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 16:25:09 linbobo named[574]: validating vijl.staf.tio.nl/A: bad cache hit (staf.tio.nl/DS)
Apr 28 16:25:09 linbobo named[574]: broken trust chain resolving 'vijl.staf.tio.nl/A/IN': 172.16.128.40#53
Apr 28 16:25:09 linbobo named[574]: DNS format error from 172.16.208.10#53 resolving vijl.staf.tio.nl/AAAA for 172.16.17.11#58764: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:25:09 linbobo named[574]: FORMERR resolving 'vijl.staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving 'student.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving '_udp.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving 'student.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: broken trust chain resolving 'lb._dns-sd._udp.student.tio.nl/PTR/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]: broken trust chain resolving 'lb._dns-sd._udp.staf.tio.nl/PTR/IN': 172.16.128.40#53
Apr 28 16:26:27 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:26:27 linbobo named[574]: no valid RRSIG resolving '_udp.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:26:27 linbobo named[574]: broken trust chain resolving 'lb._dns-sd._udp.tio.nl/PTR/IN': 172.16.128.40#53
Apr 28 16:27:14 linbobo named[574]: DNS format error from 172.16.128.40#53 resolving staf.tio.nl/AAAA for 172.16.17.11#56314: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:27:14 linbobo named[574]: FORMERR resolving 'staf.tio.nl/AAAA/IN': 172.16.128.40#53
Apr 28 16:27:14 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:27:14 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.128.40#53
Apr 28 16:27:14 linbobo named[574]: DNS format error from 172.16.208.10#53 resolving staf.tio.nl/AAAA for 172.16.17.11#56314: Name tio.nl (SOA) not subdomain of zone staf.tio.nl -- invalid response
Apr 28 16:27:14 linbobo named[574]: FORMERR resolving 'staf.tio.nl/AAAA/IN': 172.16.208.10#53
Apr 28 16:27:14 linbobo named[574]:   validating tio.nl/SOA: got insecure response; parent indicates it should be secure
Apr 28 16:27:14 linbobo named[574]: no valid RRSIG resolving 'staf.tio.nl/DS/IN': 172.16.208.10#53
Apr 28 16:27:14 linbobo named[574]: broken trust chain resolving 'staf.tio.nl/A/IN': 172.16.128.40#53
-----<End Quote>----------------------

For everything regarding *.tio.nl I use a forward in named.conf.local  like:
-----<Quote>----------------------
zone "tio.nl" IN {
        type forward;
        forward only;
        forwarders {172.16.128.40; 172.16.208.10;};
};
-----<End Quote>----------------------

And similar lines for each possible subdomain like staf.tio.nl

Can anyone tell me what I need to fix in order for this split dns to work correctly for me at home?
I may be totally wrong but, as the first problems started when we switched to dnssec on the external dns environment, it feels like that is related to the validation lines I see.
Is there a solution?

Bonno Bloksma
Reply to: