Domains in shambles

[Borja Marcos]

Hello,

I have been getting the odd DNS error when accessing ixSystems. Turns out that the DNS servers are carelessly configured.

Examples: (Although this tool is designed to spot DNSSEC problems it is great at identifyng other serious misconfigurations).

ixsystems.com | DNSViz

freenas.org | DNSViz

 

[Jaron]

Thank you for your insight!
I think "carelessly configured" and "Domain in shambles" might be a bit harsh.
I would prefer more constructive information.
Could you give more details of your specific "odd DNS errors".
Steps to recreate possibly.
What you are seeing?
What DNS addresses you are attempting to access?
I would be happy to dig into the issue further.
We do have some crazy and complicated redirecting for various things and it is easy for it get tangled with the slightest changes.
The errors on your links seem to point to UDP errors at the APEX if I am reading it correctly, however I am unfamiliar with this tool and could be interpreting it wrong. I am not sure how that is relevant.
From your perspective, what is this tool telling you is wrong and how does it relate to the specific issues you are experiencing?
I look forward to helping solve this issue.

 

[rvassar]

There's an SOA "glue" mismatch. But most of those errors are responsiveness to UDP queries, which given the era of UDP amplification attacks we live in is hardly what I would call "careless". Also note: That website is presenting 8 month old data!

 

[Jaron]

Thank you I will look into that!

 

[Jaron]

I did look into the SOA glue and i am unable to see any issues at the moment. however i did do some cleanup on the record earlier and may have fixed whatever was causing the issue. if you still see it please share so i can dig deeper

 

[Jaron]

Found the glue issue you were seeing. It is fixed and should resolve itself

 

[Jaron]

I believe this will resolve all the issues found. Thank you all for letting us know.

 

[jgreco]

Hello,

I have been getting the odd DNS error when accessing ixSystems. Turns out that the DNS servers are carelessly configured.

Examples: (Although this tool is designed to spot DNSSEC problems it is great at identifyng other serious misconfigurations).

ixsystems.com | DNSViz

freenas.org | DNSViz

And people wonder why I have six different custom Icinga scripts that check various facets of nameservice for errors.

 

[Borja Marcos]

Sorry if I was a bit harsh. I though the dnsviz.net diagnostics would be self explanatory.

I know that with all the security implications DNS is becoming a messy business.

In my case the worst problem was the servers rejecting requests, which were making queries fail. I am sure it affected others as well.

Seems to be all clear now!

And my apologies for the harsh tone, sometimes I am chasing lots of people about these issues!

 

[Borja Marcos]

And people wonder why I have six different custom Icinga scripts that check various facets of nameservice for errors.

Yes, it's getting very complicated. To make matters more complex (and actually better) the new BIND releases to be rolled out during 2022 disable even more workarounds for buggy or misconfigured authoritative servers. So expect trouble to increase.

It's a good idea to keep an eye on dnsviz.net (even when not using DNSSEC) and this page:

Redirecting…

 

[Borja Marcos]

Oops, still a minor problem there.

EDNS Compliance Tester

Not a pressing issue but it may cause trouble in the future! It works even for BIND 9.17 (the development version that just got stricter with standard compliance) though.