EDE: 22 (No Reachable Authority): (at delegation bl.xrbl.pl.)

kontakt18 · September 20, 2022, 8:49pm

Hi,
I’ve setup a rbldns server. When im trying to check A,TXT,SOA records at google dns everything works fine, when im checking via CF dns i got EDE: 22

dig d.bl.xrbl.pl soa @1.1.1.1

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> d.bl.xrbl.pl soa @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41499
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation bl.xrbl.pl.)
;; QUESTION SECTION:
;d.bl.xrbl.pl. IN SOA

;; Query time: 2010 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Sep 20 22:46:24 CEST 2022
;; MSG SIZE rcvd: 72

dig d.bl.xrbl.pl soa @8.8.8.8

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> d.bl.xrbl.pl soa @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9835
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;d.bl.xrbl.pl. IN SOA

;; ANSWER SECTION:
d.bl.xrbl.pl. 300 IN SOA bl.xrbl.pl. hostmaster.xrbl.pl. 1663644673 3600 600 432000 300

;; Query time: 30 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 20 22:46:29 CEST 2022
;; MSG SIZE rcvd: 88

Tested from 2 different locations
dig +short CHAOS TXT id.server @1.1.1.1
“WAW”
dig +short CHAOS TXT id.server @1.1.1.1
“HAM”

Here test with 1.1.1.1 shows correct answer

cscharff · September 21, 2022, 6:11pm

Currently I receive:

dig  d.bl.xrbl.pl SOA @1.1.1.1

; <<>> DiG 9.10.6 <<>> d.bl.xrbl.pl SOA @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29245
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;d.bl.xrbl.pl.			IN	SOA

;; ANSWER SECTION:
d.bl.xrbl.pl.		286	IN	SOA	bl.xrbl.pl. hostmaster.xrbl.pl.

But I’m not sure all is right in the world WRT the authoritative nameservers.

Screen Shot 2022-09-21 at 2.04.05 PM

https://dnsviz.net/d/d.bl.xrbl.pl/dnssec/

Cloudflare practices query minimization which could also be a factor here with what appears to be a lame delegation for bl.xrbl.pl.

cscharff · September 21, 2022, 6:13pm

@milk knows more about the obscure DNS stuff than I do, but that’s my hot take FWIW.

gwyneth.llewelyn · September 21, 2022, 7:55pm

AFAIK xrbl.pl like so many other providers of DNS-based block lists, is blacklisting 1.1.1.1.

And possibly VeriSign uses 1.1.1.1 these days as well, thus their replies are also being blocked

kontakt18 · September 21, 2022, 8:53pm

That’s the way to get it works It’s pointed in many tutorials.

I created that dns-based block-list few days ago & I’m not blocking anything coming from 1.1.1.1,1.0.0.1 and ips related to CF dns.

Like in my first test with DigWebInterface and from cscharff test it shows it works with 1.1.1.1, my test dig from “HAM” and “WAW” location in first post shows error. Looks like geo based problem.