Path: csiph.com!3.eu.feeder.erje.net!feeder.erje.net!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: David Newman <dnewman@networktest.com>
Newsgroups: comp.protocols.dns.bind
Subject: Re: intermittent failures and queries sent over TCP
Date: Tue, 18 Aug 2020 18:12:45 -0700
Lines: 14
Approved: bind-users@lists.isc.org
Message-ID: <mailman.804.1597799531.942.bind-users@lists.isc.org>
References: <6538a35f-d361-7522-a34f-65defb021f05@networktest.com> <83C7A42D-9AEC-494C-8765-0AFB612253E0@isc.org> <40a3ce22-5394-7511-4e18-9cb25baa94b7@networktest.com>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1597799578 6852 149.20.1.60 (19 Aug 2020 01:12:58 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bind-users@lists.isc.org
To: Mark Andrews <marka@isc.org>
Return-Path: <dnewman@networktest.com>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
Authentication-Results: mail9.networktest.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=networktest.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=networktest.com; h=content-transfer-encoding:content-language:content-type :in-reply-to:mime-version:user-agent:date:message-id:from :references:to:subject; s=dkim; t=1597799566; x=1600391567; bh=8 O/AM7ePisPB1mBZV6MzgahnrIOekULIDrAaO4KHcp0=; b=YvS/4S97mj7TqmMQW QUszn2OBMQN4smKQvHt8aq7EpWRaGHa6dEIY2zqHnbWkjBPyyaITmbEntqIt9bnh 0D6I6RTEov3CKnokGB0GgMOB2eJ5giPUplKRiqRSioPZ+UpuxyC0gWfegVPrWAIm eKboetVCl3iviwCHw8pPtzPuX8=
X-Virus-Scanned: Debian amavisd-new at mail9.networktest.com
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
In-Reply-To: <83C7A42D-9AEC-494C-8765-0AFB612253E0@isc.org>
Content-Language: en-GB
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <40a3ce22-5394-7511-4e18-9cb25baa94b7@networktest.com>
X-Mailman-Original-References: <6538a35f-d361-7522-a34f-65defb021f05@networktest.com> <83C7A42D-9AEC-494C-8765-0AFB612253E0@isc.org>
Xref: csiph.com comp.protocols.dns.bind:16051

On 8/18/20 5:55 PM, Mark Andrews wrote:

> If you are getting RST responses check your firewall settings.  RST is often forged
> when TCP is blocked.  The root servers normally accept TCP connections.
> 
> % dig +tcp gmail.com @a.root-servers.net +dnssec

Bingo. This query failed before adding a rule to the upstream firewall
to allow outbound queries, and works now.

Thanks!

dn