# [SOLVED] bind-9 keeps crashing with Hetzner.de forwarder

## araxon

EDIT: solved by emerging net-dns/bind-9.14.7.

My bind servers hosted inside Hetzner.de have been crashing since their update to version 9.14.4. The crash can be reliable triggered by a particular query:

```
dig @localhost 114.141.6.213.in-addr.arpa PTR
```

The named.log has this to say about the issue:

```
24-Aug-2019 12:00:30.807 resolver: notice: DNS format error from 213.133.100.100#53 resolving 114.141.6.213.in-addr.arpa/PTR for client ::1#52596: non-improving referral

24-Aug-2019 12:00:30.807 lame-servers: info: FORMERR resolving '114.141.6.213.in-addr.arpa/PTR/IN': 213.133.100.100#53

24-Aug-2019 12:00:30.808 resolver: notice: DNS format error from 213.133.98.98#53 resolving 114.141.6.213.in-addr.arpa/PTR for client ::1#52596: non-improving referral

24-Aug-2019 12:00:30.808 lame-servers: info: FORMERR resolving '114.141.6.213.in-addr.arpa/PTR/IN': 213.133.98.98#53

24-Aug-2019 12:00:30.808 resolver: notice: DNS format error from 213.133.99.99#53 resolving 114.141.6.213.in-addr.arpa/PTR for client ::1#52596: non-improving referral

24-Aug-2019 12:00:30.808 lame-servers: info: FORMERR resolving '114.141.6.213.in-addr.arpa/PTR/IN': 213.133.99.99#53

24-Aug-2019 12:00:30.808 general: critical: resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace

24-Aug-2019 12:00:30.808 general: critical: #0 0x5571e42f6e40 in ??

24-Aug-2019 12:00:30.808 general: critical: #1 0x7f9d1e2844ca in ??

24-Aug-2019 12:00:30.808 general: critical: #2 0x7f9d1e42ed12 in ??

24-Aug-2019 12:00:30.809 general: critical: #3 0x7f9d1e431a69 in ??

24-Aug-2019 12:00:30.809 general: critical: #4 0x7f9d1e43662b in ??

24-Aug-2019 12:00:30.809 general: critical: #5 0x7f9d1e439d61 in ??

24-Aug-2019 12:00:30.809 general: critical: #6 0x7f9d1e43a7ed in ??

24-Aug-2019 12:00:30.809 general: critical: #7 0x7f9d1e43bc7c in ??

24-Aug-2019 12:00:30.809 general: critical: #8 0x7f9d1e2a1a7c in ??

24-Aug-2019 12:00:30.809 general: critical: #9 0x7f9d1ddf5458 in ??

24-Aug-2019 12:00:30.809 general: critical: #10 0x7f9d1dd2380f in ??

24-Aug-2019 12:00:30.809 general: critical: exiting (due to assertion failure)
```

213.6.141.114 is some spammer trying to send a mail using my system, hence the reverse lookup.

213.133.98.98, 213.133.99.99 and 213.133.100.100 are the forwarders from the service provider (Hetzner.de).

When I try using other forwarders, like 8.8.8.8, the problem disappears. It seems like the Hetzner.de DNS servers are sending some malformed packets. Still, the bind/named should not crash on a malformed packet.

If I try to reverse lookup other IPs, it works fine.

I managed to tcpdump the queries and responses (tcpdump port 53 -w file.pcap), but I don't see anything wrong there. The .pcap file is here.

Anyone else having these issues?

What can I do, except switching to other DNS forwarders?Last edited by araxon on Mon Oct 21, 2019 12:18 pm; edited 1 time in total

----------

## alamahant

What if you tried a simpler format like

```

dig @localhost -x 114.141.6.213

```

Or maybe dig directly the forwarders ans see what happens...

This is the output I get:

```

dig @localhost 114.141.6.213.in-addr.arpa PTR

; <<>> DiG 9.14.4 <<>> @localhost 114.141.6.213.in-addr.arpa PTR

; (2 servers found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10457

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: eb44009e30251f4679401aed5d6188d11ebcda8c69db40f0 (good)

;; QUESTION SECTION:

;114.141.6.213.in-addr.arpa.   IN   PTR

;; Query time: 4000 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Sat Aug 24 21:58:25 EEST 2019

;; MSG SIZE  rcvd: 83

```

----------

## Anon-E-moose

```
dig @localhost 114.141.6.213.in-addr.arpa PTR
```

I don't think this is a valid query

Edit to add: reverse lookup is usually done with -x ie dig -x 213.6.141.114

or to see what domain it belongs to whois -h whois.arin.net 213.6.141.114

```
dig -x 213.133.100.100 +noall +answer

; <<>> DiG 9.14.4 <<>> -x 213.133.100.100 +noall +answer

;; global options: +cmd

100.100.133.213.in-addr.arpa. 21565 IN   PTR   ns3-coloc.hetzner.com.
```

----------

## araxon

Thank you for your answer.

 *Anon-E-moose wrote:*   

> 
> 
> ```
> dig @localhost 114.141.6.213.in-addr.arpa PTR
> ```
> ...

 

That was the last query seen in bind query.log before it crashes.

 *Anon-E-moose wrote:*   

> 
> 
> Edit to add: reverse lookup is usually done with -x ie dig -x 213.6.141.114
> 
> 

 

That indeed generates the same query and crashes my named daemon.

 *Anon-E-moose wrote:*   

> 
> 
> or to see what domain it belongs to whois -h whois.arin.net 213.6.141.114
> 
> 

 

I do know who this IP is assigned to. It is some service provider in Palestine. This IP is not the problem. The problem is the crashing bind named on my server. It should not crash on any bogus input... Am I in a wrong place? Should this be submitted to the bugtracker?

 *Anon-E-moose wrote:*   

> 
> 
> ```
> dig -x 213.133.100.100 +noall +answer
> 
> ...

 

That is the resolver of my provider. I'm not sure what to do with it. This query resolves normally.

----------

## araxon

Thank you for your answer.

 *alamahant wrote:*   

> What if you tried a simpler format like
> 
> ```
> 
> dig @localhost -x 114.141.6.213
> ...

 

The IP address in this query is backwards. When I do dig @localhost -x 213.6.141.114, it generates the query mentioned in my first post and crashes my named.

 *alamahant wrote:*   

> 
> 
> Or maybe dig directly the forwarders ans see what happens...
> 
> 

 

I did try that. It generates the same answers as seen in the original pcap file and it does not crash my named, because my named is not involved when I query the forwarders directly.

```

phoenix ~ # dig @213.133.98.98 -x 213.6.141.114

; <<>> DiG 9.14.4 <<>> @213.133.98.98 -x 213.6.141.114

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40231

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;114.141.6.213.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:

6.213.in-addr.arpa.     81614   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     81614   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     81614   IN      NS      dns.paltel.net.

;; Query time: 0 msec

;; SERVER: 213.133.98.98#53(213.133.98.98)

;; WHEN: Sun Aug 25 06:46:18 CEST 2019

;; MSG SIZE  rcvd: 122

```

```

phoenix ~ # dig @213.133.99.99 -x 213.6.141.114

; <<>> DiG 9.14.4 <<>> @213.133.99.99 -x 213.6.141.114

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48711

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;114.141.6.213.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:

6.213.in-addr.arpa.     45607   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     45607   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     45607   IN      NS      dns.paltel.net.

;; Query time: 0 msec

;; SERVER: 213.133.99.99#53(213.133.99.99)

;; WHEN: Sun Aug 25 06:46:25 CEST 2019

;; MSG SIZE  rcvd: 122

```

```

phoenix ~ # dig @213.133.100.100 -x 213.6.141.114

; <<>> DiG 9.14.4 <<>> @213.133.100.100 -x 213.6.141.114

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11780

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;114.141.6.213.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:

6.213.in-addr.arpa.     81602   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     81602   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     81602   IN      NS      ns.paltel.net.

;; Query time: 0 msec

;; SERVER: 213.133.100.100#53(213.133.100.100)

;; WHEN: Sun Aug 25 06:46:30 CEST 2019

;; MSG SIZE  rcvd: 122

```

----------

## Anon-E-moose

It's not a bug (at least it's not a bind bug), the query works perfectly fine on my system (bind 9.14.4).

Is this a virtual machine? If so do you compile your own bind or are you using the hosts?

If you compile it yourself, I'd probably rebuild it (bind and tools), there's a problem but it's your system not bind, at least as far as this "query" or you've got a misconfigured named.conf.

I'm not sure why you're using @localhost directly. No matter where you get the answer from, it goes in the named cache, and if localhost is the first nameserver in resolv.conf it'll use that first.

```
$ dig -x 213.133.100.100 

; <<>> DiG 9.14.4 <<>> -x 213.133.100.100

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5413

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: 597efcc430daf240070ba7545d6266050558900453af48f0 (good)

;; QUESTION SECTION:

;100.100.133.213.in-addr.arpa.   IN   PTR

;; ANSWER SECTION:

100.100.133.213.in-addr.arpa. 86393 IN   PTR   ns3-coloc.hetzner.com.

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Sun Aug 25 05:42:13 CDT 2019

;; MSG SIZE  rcvd: 120
```

The SERVER is my machine.

from resolv.conf

```
nameserver 127.0.0.1
```

If the answer is not in my named cache then it will send it to where it needs to, to get an answer then it goes in the cache.

Edit to add: what does "emerge -pv bind bind-tools" return

----------

## araxon

 *Anon-E-moose wrote:*   

> It's not a bug (at least it's not a bind bug), the query works perfectly fine on my system (bind 9.14.4).

 

It works for me too, when I change named.conf to use other forwarders (8.8.8.8 for example). But I do not want to change the forwarders and I certainly do not want my named to crash every so often. It is some combination of the query, one concrete forwarding server and current version of bind. It worked flawlessly with previous versions of bind, but sadly they are not in portage anymore.

 *Anon-E-moose wrote:*   

> Is this a virtual machine? If so do you compile your own bind or are you using the hosts?
> 
> 

 

It is physical hardware. Bind has been emerged from portage. And it is not only a problem on one server, I have another client, who has his server in Hetzner.de too, and that instance of bind experiences the same problems.

 *Anon-E-moose wrote:*   

> If you compile it yourself, I'd probably rebuild it (bind and tools), there's a problem but it's your system not bind, at least as far as this "query" or you've got a misconfigured named.conf.
> 
> 

 

I tried re-emerging it from portage and restarting the server to load all the new versions of all libraries, but the problem prevails. Named.conf remains unchanged from the previous version of bind, which worked fine.

 *Anon-E-moose wrote:*   

> I'm not sure why you're using @localhost directly. No matter where you get the answer from, it goes in the named cache, and if localhost is the first nameserver in resolv.conf it'll use that first.
> 
> ...
> 
> 

 

I use @localhost to go around other resolvers listed in /etc/resolv.conf, to isolate the issue and to be able to quickly confirm that it still exists.

I can certainly use other forwarders, or remove 127.0.0.1 and ::1 from /etc/resolv.conf altogether, but as the Authoritative DNS server provider for numerous domains I do need to continue running named and I do not like the idea of it crashing randomly. I would like the issue to be solved, rather than circumvented.

 *Anon-E-moose wrote:*   

> Edit to add: what does "emerge -pv bind bind-tools" return

 

```
phoenix ~ # emerge -pv bind bind-tools

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-dns/bind-9.14.4::gentoo  USE="caps ssl zlib -berkdb -dlz -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -json -ldap -libressl -lmdb -mysql -odbc -postgres -python (-selinux) -static-libs -urandom -xml" PYTHON_TARGETS="python2_7 python3_6 -python3_5 (-python3_7)" 0 KiB

[ebuild   R    ] net-dns/bind-tools-9.14.4::gentoo  USE="ipv6 readline ssl -doc -gssapi -idn -libedit -libressl -xml" 0 KiB

Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB

```

----------

## Anon-E-moose

 *araxon wrote:*   

> 
> 
> I did try that. It generates the same answers as seen in the original pcap file and it does not crash my named, because my named is not involved when I query the forwarders directly.
> 
> ```
> ...

 

That's not true, named is still involved, it just doesn't use the forwarders from named.conf or resolv.conf, it still uses the bind libraries, etc, along with the fact that the result of the query goes into the named cache. The query still gets resolved the same way, whether using @ directly or forwarders line in named.conf or nameserver in resolv.conf.

If it works directly then I suspect something in named.conf is likely your problem. It could be that previous versions of bind allowed certain things be done that it shouldn't have. 

As far as previous versions, if you haven't cleaned your distfiles directory, then you should have the tar files, you just need the ebuild.

Edit to add: If you really think it's a bug, then file a bug report. It's possible that there's a bug in the way named.conf is being handled.

ETA2: what does dig @localhost +trace -x 213.6.141.114 show?

----------

## araxon

I'm sorry, I've been traveling and didn't have the means to try this.

 *Anon-E-moose wrote:*   

> 
> 
> ETA2: what does dig @localhost +trace -x 213.6.141.114 show?

 

This seems to loop endlessly and never get to the query that would trigger the server to crash. Is the recursion disabled with +trace?

```
phoenix ~ # dig @localhost +trace -x 213.6.141.114

; <<>> DiG 9.14.4 <<>> @localhost +trace -x 213.6.141.114

; (2 servers found)

;; global options: +cmd

.                       518397  IN      NS      a.root-servers.net.

.                       518397  IN      NS      m.root-servers.net.

.                       518397  IN      NS      d.root-servers.net.

.                       518397  IN      NS      k.root-servers.net.

.                       518397  IN      NS      j.root-servers.net.

.                       518397  IN      NS      i.root-servers.net.

.                       518397  IN      NS      l.root-servers.net.

.                       518397  IN      NS      b.root-servers.net.

.                       518397  IN      NS      c.root-servers.net.

.                       518397  IN      NS      h.root-servers.net.

.                       518397  IN      NS      e.root-servers.net.

.                       518397  IN      NS      f.root-servers.net.

.                       518397  IN      NS      g.root-servers.net.

.                       518397  IN      RRSIG   NS 8 0 518400 20190912050000 20190830040000 59944 . a18HBLRxbDklfb/5azG80cAJFAwNd4luRiFgFM6QUhVNkCcYfHEPN86t H2TiEwxxwQE+gfKdMFc6F+2GT5MqMgJocYS4hxyai54iMtzN9/HzUxFQ IVeOWU2g2piycqavfFqMp4pfmbESjGj3zBs3BemvD8nS9JVc7PtDnYEN HJ6iYLCSZlLp3HPTOGqd2Kh9uBmujnsVqbUoVWT7H5vT3yblT2J3MdhV XcUYAwl8CneBJGql1VT1ZS5lvGriOnrRuX9evjgHlGZuRk5tiR8oc4aH ndEc28HdihJH4fmj6P0Zq2DnP3KOMV/voHCsF29hEyT3YhpCDng5U99E 994KgA==

;; Received 1137 bytes from ::1#53(localhost) in 0 ms

in-addr.arpa.           172800  IN      NS      a.in-addr-servers.arpa.

in-addr.arpa.           172800  IN      NS      b.in-addr-servers.arpa.

in-addr.arpa.           172800  IN      NS      c.in-addr-servers.arpa.

in-addr.arpa.           172800  IN      NS      d.in-addr-servers.arpa.

in-addr.arpa.           172800  IN      NS      e.in-addr-servers.arpa.

in-addr.arpa.           172800  IN      NS      f.in-addr-servers.arpa.

in-addr.arpa.           86400   IN      DS      47054 8 2 5CAFCCEC201D1933B4C9F6A9C8F51E51F3B39979058AC21B8DF1B1F2 81CBC6F2

in-addr.arpa.           86400   IN      DS      53696 8 2 13E5501C56B20394DA921B51412D48B7089C5EB6957A7C58553C4D4D 424F04DF

in-addr.arpa.           86400   IN      DS      63982 8 2 AAF4FB5D213EF25AE44679032EBE3514C487D7ABD99D7F5FEC3383D0 30733C73

in-addr.arpa.           86400   IN      RRSIG   DS 8 2 86400 20190912000000 20190829230000 62701 arpa. Ajnfl8yM1UgcblIyVvot5MyhUVsXG9BdjbbWLzRSLe/xBModCGgVdQoa SyAk+Zzv5b3KeTJ3Ce4xNJYD2fr09OvuNQpcOhpSfRLo/STYv3ZZYhIF 1LCWdymkQBMB9+8CZvYZzU9jIO7YJpccUljh0Q+czKUnAA17VPpR79PC bmw22JOw0yOfwQtABY8DOxDoVgGzCr05hOBbJvKqS+gQ/T7HqplvWIvM 7My/QacDJny7WYH0WrDaq8V861GMWH9EDWzj/vVQQQdraLVRQEMdIRBu uS1sGVQ8geq9EqF2OLcz5RZPdi6S8DtJkfeXAX6JapnjcEuj9rEbg7Cr Vtj3Zg==

;; Received 867 bytes from 199.7.91.13#53(d.root-servers.net) in 11 ms

213.in-addr.arpa.       86400   IN      NS      ns3.afrinic.net.

213.in-addr.arpa.       86400   IN      NS      pri.authdns.ripe.net.

213.in-addr.arpa.       86400   IN      NS      tinnie.arin.net.

213.in-addr.arpa.       86400   IN      NS      sns-pb.isc.org.

213.in-addr.arpa.       86400   IN      NS      ns4.apnic.net.

213.in-addr.arpa.       86400   IN      NS      ns3.lacnic.net.

213.in-addr.arpa.       86400   IN      DS      20065 8 2 B01BBE15017A4B3CAF02FCEB1B75E440DC40241B91ECEA34E1100637 B6298436

213.in-addr.arpa.       86400   IN      RRSIG   DS 8 3 86400 20190906091348 20190815210003 37074 in-addr.arpa. dw2GNQvdUlnS1IGKbyXs90ro0AdkcMe6y4/MCice2U5gnefHwEExOXnO 72yTiBdM0Y37Kza8H4pubxyWiw/2KNQEa+2tqPS4oY5H41KV5O2Mn6I6 dJiPOdhOt4elBmSbGMt64jSvwen1w2L/l2brqLGHCorB7FIR9q1YGD9L 9Uw=

;; Received 494 bytes from 203.119.86.101#53(e.in-addr-servers.arpa) in 259 ms

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; Received 719 bytes from 2001:500:2e::1#53(sns-pb.isc.org) in 20 ms

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms

6.213.in-addr.arpa.     6858    IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     6858    IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     6858    IN      NS      ns.ripe.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 77 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 360 bytes from 193.0.9.6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 59 ms

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 360 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 10 ms

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 360 bytes from 193.0.9.6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms

6.213.in-addr.arpa.     6857    IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 62 ms

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 360 bytes from 193.0.9.6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     6857    IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     6857    IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 78 ms

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 61 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 360 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     6857    IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 62 ms

6.213.in-addr.arpa.     95928   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95928   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95928   IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms

6.213.in-addr.arpa.     95927   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95927   IN      NS      ns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms

6.213.in-addr.arpa.     95927   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95927   IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 75 ms

6.213.in-addr.arpa.     95927   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      ns.ripe.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms

6.213.in-addr.arpa.     6857    IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.ripe.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 63 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     95927   IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     95927   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      dns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 198 bytes from 212.14.236.211#53(dns.paltel.net) in 60 ms

6.213.in-addr.arpa.     6857    IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 63 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     6857    IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     6857    IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     6857    IN      NS      ns.paltel.net.

;; BAD (HORIZONTAL) REFERRAL

;; Received 494 bytes from 212.14.226.73#53(ns.paltel.net) in 64 ms

6.213.in-addr.arpa.     172800  IN      NS      ns.ripe.net.

6.213.in-addr.arpa.     172800  IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     172800  IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     3600    IN      NSEC    60.213.in-addr.arpa. NS RRSIG NSEC

6.213.in-addr.arpa.     3600    IN      RRSIG   NSEC 8 4 3600 20190909161212 20190826144212 37090 213.in-addr.arpa. e7nQjUPeY2ZHhul2PnteW5WaT9BBiGTcWyqTCQXACq0C1f/CKV7XI9T+ UR2Uqy/K1TMLP/ghwDxapCuPUhtx77LzVdtUE0oweFwSv4JNvPK+5eat 2QAB1hWlLC00ix7a8m428SXlsN3RP0QFA2x5iIAR2Qc9i0fIsuntQFq3 AgY=

;; BAD (HORIZONTAL) REFERRAL

;; Received 339 bytes from 2001:67c:e0::6#53(ns.ripe.net) in 11 ms

6.213.in-addr.arpa.     95927   IN      NS      ns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      dns.paltel.net.

6.213.in-addr.arpa.     95927   IN      NS      ns.ripe.net.

;; BAD (HORIZONTAL) REFERRAL

dig: too many lookups

```

What does "BAD (HORIZONTAL) REFERRAL" mean? Is it mismatch in delegation of that particular domain?

----------

## Anon-E-moose

 *araxon wrote:*   

> What does "BAD (HORIZONTAL) REFERRAL" mean? Is it mismatch in delegation of that particular domain?

 

My understanding is it's a lookup across the domain, not down.

if domain a0, b0, c0, a0 calls b0 and b0 is supposed to call c0, instead it calls b1 which is on the same level as b0. 

You can google "bind BAD (HORIZONTAL) REFERRAL" for more info. 

As for why it doesn't get to the query you're interested in, it's probably "dig: too many lookups"

Edit to add: googling your original problem, it has happened in the past (older versions of bind) so maybe they reintroduced a bug, I haven't checked with bind itself to see if they have reports for the version you're using. You might check and maybe even file a bug report.

----------

## axl

have you ruled out CFLAGS and USE(flags) ?

I have 2 NS's without forward first and I see those kinds of records countless times during the day. Much-a-do about geo-location banning in my opinion, but the point is, bind shouldn't crap out because of it. a revdep-rebuild perhaps. sounds more like a pointer issue than anything else imho.

----------

## mwka

I can confirm this error - I have the very same problem on my server at Hetzner, since upgrading to bind 9.14.4. So I don't think it's a local issue.

----------

## araxon

 *mwka wrote:*   

> I can confirm this error - I have the very same problem on my server at Hetzner, since upgrading to bind 9.14.4. So I don't think it's a local issue.

 

I tried 9.14.5 and 9.14.6, but the problem remains unsolved.

I circumvented this issue by outright banning in iptables the few offending hosts, that tried to connect thus causing this "harmful" reverse lookup. Not really a solution.

----------

## araxon

There is this chap having the same problem: https://github.com/opnsense/plugins/issues/1497

He opened a bug report with ISC bind team two weeks ago, and the bug report went private:

 *Quote:*   

> It was set to private because it's probably a DoS-able vulnerability and they already had 2 reports but without crash dump or debug symbols of this error when I reported it to them.

 

Hopefully it will be fixed soon.

----------

## mwka

I reported the bug to the bind team and got the response that it should be fixed within 1 month.

----------

## araxon

Some new development...

The issue is now public.

The associated CVE is CVE-2019-6476.

----------

