[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Unable to resovle the MX snpl.com.np from public 8.8.8.8 dns



The problem seems to be that the responses from the authoritative servers for snpl.com.np for MX queries have so many DNSSEC signatures (for the additional records) that they exceed typical network packet sizes and are being fragmented, and those fragments are being blocked (probably by a firewall).

The authoritative servers are likely running BIND with a version earlier than 9.12 and getting the old default minimal-responses = true setting (in 9.12 the default was changed to false). Changing that setting would reduce the size of responses (by omitting Authority and Additional data that is not needed) so that they would no longer be fragmented.

As a workaround, we can switch configuration for the name servers for the domain to send queries via TCP, which will prevent fragmentation.

$ dig +dnssec +nocrypto +nocmd +norec a snpl.com.np @ns1.snpl.com.np.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28514
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;snpl.com.np.                   IN      A

;; ANSWER SECTION:
snpl.com.np.            3600    IN      A       202.166.193.202
snpl.com.np.            3600    IN      RRSIG   A 8 3 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]

;; AUTHORITY SECTION:
snpl.com.np.            3600    IN      NS      ns2.snpl.com.np.
snpl.com.np.            3600    IN      NS      ns1.snpl.com.np.
snpl.com.np.            3600    IN      RRSIG   NS 8 3 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]

;; ADDITIONAL SECTION:
ns1.snpl.com.np.        3600    IN      A       117.121.231.19
ns2.snpl.com.np.        3600    IN      A       182.93.94.133
ns1.snpl.com.np.        3600    IN      RRSIG   A 8 4 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]
ns2.snpl.com.np.        3600    IN      RRSIG   A 8 4 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]

;; Query time: 309 msec
;; SERVER: 117.121.231.19#53(117.121.231.19)
;; WHEN: Mon May 06 06:35:38 EDT 2019
;; MSG SIZE  rcvd: 1320

$ dig +dnssec +nocrypto +nocmd +norec mx snpl.com.np @ns1.snpl.com.np.
;; connection timed out; no servers could be reached

$ dig +tcp +dnssec +nocrypto +nocmd +norec mx snpl.com.np @ns1.snpl.com.np.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58778
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;snpl.com.np.                   IN      MX

;; ANSWER SECTION:
snpl.com.np.            3600    IN      MX      20 mx1.snpl.com.np.
snpl.com.np.            3600    IN      MX      10 mx2.snpl.com.np.
snpl.com.np.            3600    IN      RRSIG   MX 8 3 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]

;; AUTHORITY SECTION:
snpl.com.np.            3600    IN      NS      ns2.snpl.com.np.
snpl.com.np.            3600    IN      NS      ns1.snpl.com.np.
snpl.com.np.            3600    IN      RRSIG   NS 8 3 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]

;; ADDITIONAL SECTION:
mx2.snpl.com.np.        3600    IN      A       182.93.94.134
mx1.snpl.com.np.        3600    IN      A       117.121.231.9
ns1.snpl.com.np.        3600    IN      A       117.121.231.19
ns2.snpl.com.np.        3600    IN      A       182.93.94.133
mx2.snpl.com.np.        3600    IN      RRSIG   A 8 4 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]
mx1.snpl.com.np.        3600    IN      RRSIG   A 8 4 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]
ns1.snpl.com.np.        3600    IN      RRSIG   A 8 4 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]
ns2.snpl.com.np.        3600    IN      RRSIG   A 8 4 3600 20190515000000 20190214110733 7860 snpl.com.np. [omitted]

;; Query time: 321 msec
;; SERVER: 117.121.231.19#53(117.121.231.19)
;; WHEN: Mon May 06 06:37:41 EDT 2019
;; MSG SIZE  rcvd: 1974


--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/ddfb3c48-f63d-4ead-b87f-38191314c8a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.