SERVFAIL - Transfer status and failed while receiving responses

CyberIT · 12-20-2022, 07:39 AM

Hello

I have an event taking place almost every day around 8:00am on DNS Secondary servers, but we don’t see these events for the rest of the day.

Code:

08:04:54.812 xfer-in: info: transfer of 'intlab.com/IN' from 10.13.13.10#53: Transfer status: SERVFAIL
08:04:54.812 xfer-in: error: transfer of 'intlab.com/IN' from 10.13.13.10#53: failed while receiving responses: SERVFAIL

08:04:54.811 xfer-in: info: transfer of '10.in-addr.arpa/IN' from 10.13.13.10#53: Transfer status: SERVFAIL
08:04:54.811 xfer-in: error: transfer of '10.in-addr.arpa/IN' from 10.13.13.10#53: failed while receiving responses: SERVFAIL

Code:

options {
    listen-on port 53 { 127.0.0.1; <%= @ipaddress_eth0 -%>; };
#    listen-on-v6 port 53 { ::1; };
    allow-query { localhost; any; };

    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";

    recursion yes;
    allow-recursion { localhost; any; };
    allow-transfer { none; };

    auth-nxdomain no;
    tcp-clients 300;
    filter-aaaa-on-v4 yes;

    transfers-in 30;

    edns-udp-size 4096;
    max-udp-size 4096;

    check-names slave ignore;
    check-names response ignore;

    dnssec-enable no;
    dnssec-validation no;
    dnssec-lookaside auto;


#    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};


zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


zone "intlab.com" {
    type slave;
    file "/var/named/slaves/named.intlab.com";
    masters { 10.13.13.10; };
    allow-notify { none; };
    allow-query { any; };
    request-ixfr yes;
    masterfile-format text;
    forwarders {};
};

zone "10.in-addr.arpa" {
    type slave;
    file "/var/named/slaves/named.10.in-addr.arpa";
    masters { 10.13.13.10; };
    allow-notify { none; };
    allow-query { any; };
    request-ixfr yes;
    masterfile-format text;
};

I validate the servers and the zone transfers are up-to-date. Any help with this is much appreciated. Thanks!

bathory · 12-23-2022, 12:00 PM

Quote:

I have an event taking place almost every day around 8:00am on DNS Secondary servers, but we don’t see these events for the rest of the day.

08:04:54.812 xfer-in: info: transfer of 'intlab.com/IN' from 10.13.13.10#53: Transfer status: SERVFAIL
08:04:54.812 xfer-in: error: transfer of 'intlab.com/IN' from 10.13.13.10#53: failed while receiving responses: SERVFAIL

08:04:54.811 xfer-in: info: transfer of '10.in-addr.arpa/IN' from 10.13.13.10#53: Transfer status: SERVFAIL
08:04:54.811 xfer-in: error: transfer of '10.in-addr.arpa/IN' from 10.13.13.10#53: failed while receiving responses: SERVFAIL

Is there a cronjob running at 8:00am? Are you using cron at 8:00am in order to do AXFRs between master and slave? AXFRs should happen automatically as soon as a zonefile is modified.
You can also check the logs on both master and slave and see if you find anything.

Regards

elgrandeperro · 12-27-2022, 07:32 PM

SERVFAIL is strange. One reason is the zone is expired on the master server.

On the slave, what is the output of:

dig @10.13.13.10 -t axfr intlab.com

If the master is stealth, you need to declare it allow-notify. I think if it is listed as a NS server, then it implicitly defined.

compare the serial SOA of intlab.com on both master and slave. Are they the same? You can use dig to get the value, like:

dig @127.0.0.1 -t soa intlab.com (while logged into master or slave).

When you update intlab.com (and bump the serial number) does it appear right away?