> On Dec 10, 2:59Â*am, J de Boyne Pollard <J.deBoynePoll...@Tesco.NET>
> wrote:
>> DNAME records aren't the issue. Â*That's a complete red herring. Â*So,
>> also, is what characters are in the domain name. Â*Ironically, the
>> information for diagnosing the issue was in plain sight, in the event
>> log message itself. Â*Well done, therefore, for following the standard
>> problem reporting litany and giving the error messages that you see.
>> Here's the important part:
>>
>> AH> Data:
>> AH> 0000: cb a6 80 11 00 00 00 00 Â* ˦€.....
>> AH> 0008: 00 00 00 00 Â* Â* Â* Â* Â* Â* Â* ....
>
> This was why I posted the full log and not just the error code,
> because I could see the DNS data in there, but didn't have sufficient
> tuits to be able to decode it.
>
>> What's happening here is a combination of the fact that Lloyds TSB
>> uses content DNS servers that are not EDNS0 capable, and the fact that
>> you are using resolving proxy DNS servers that are EDNS0 capable. Â*A
>> quick query to 193.34.230.74 reveals that if it receives an EDNS0
>> query it responds with a "format error" response, which is what the
>> above DNS/UDP datagram actually decodes to. Â*So, first of all, if
>> Lloyds TSB were using better content DNS servers you wouldn't be
>> experiencing this problem. Â*Exacerbating the problem is the fact that
>> Lloyds TSB's response doesn't repeat the question in the query. Â*It is
>> this that is throwing off Microsoft's DNS server. Â*It's expecting to
>> have the question that it asked echoed back to it in the response.
>> But as you can see from the final four words in the aforegiven data,
>> there are no resource records *at all* in the response that Lloyds
>> TSB's content DNS servers are returning. Â*The question isn't being
>> echoed. Â*So when Microsoft's DNS server comes to decode the question
>> section, to check that the question returned is the same as the
>> question asked, it finds no question at all, and complains.
>
> Thanks.
>>
> [snip useful info]
>>
>> AH> The users trying to access that site get a DNS server failure
>> AH> response from Squid (our proxy).
>>
>> If you wish to have Microsoft's DNS server perform query resolution,
>> you really have a choice of three courses of action, probably none of
>> which you will find appealing, here:
>> * You could ask Lloyds TSB to get better content DNS servers, that
>> support EDNS0.
>> * You could ask Microsoft to make the resolving proxy part of its DNS
>> server more liberal when it comes to "format error" responses.
>> * You could tell your users that they aren't missing out on much by
>> not being able to use Lloyds TSB's WWW site.
>>
>> The alternative is to have some other resolving proxy DNS server
>> software perform query resolution for that domain name and its
>> subdomains. Â*This is where forwarding proxy DNS service, for
>> "lloydstsb.co.uk." and its subdomains, comes into play, as you've
>> already discussed. Â*That's a local fix. Â*But a service fix would be
>> better.
>
> Yes, we could add a "conditional forwarder" for that domain, and still
> use the root hints. I would be happy to do this, but would face
> questions about whether this would happen in the future.
>
> Could an alternative to be to switch off EDNS0 support in the DNS
> server itself?
>
> Thanks.
> Andrew.
I would suggest to simply use a Conditional Forwarder for the domain,
but a general forwarder to the ISP works fine. If that is the case, I
don't expect you to see the error pop up again, so there would be no
need to create a Conditional Fowarder or disabling EDNS0.
If "lloydstsb.co.uk" DNS servers are out of date, why should you back
pedal to accomodate them or any other entity that can't keep up with
industry standards, such as EDNS0, which has been around for at least 8
years now.
Your Forwarder to the ISP works. As I mentioned, that is normally the
receommended 'best practice' to configure. I wouldn't disable EDNS0 if
this is working.
Ace
|
Similar Threads
Linear Mode
