SERVFAIL for securebanking.myrams.com.au

I recently switched ISPs to get IPv6. I get 19/20 at https://ipv6-test.com/ and have asked my ISP about getting some reverse DNS records for that final 5%…

With my new ISP, I’ve noticed that https://securebanking.myrams.com.au no longer works. I visit https://www.rams.com.au, select “Login” in the top right. Instead of the login screen I expect, I get a Chrome error page with ERR_NAME_NOT_RESOLVED.

I’ve experimented with enable/disable of IPv6 on my router. The site works when my connection is IPv4-only, and fails when I have both IPv4 and IPv6 enabled (dual stack). My router does not support IPv6-only.

The myrams.com.au domain uses dnsmadeeasy.com, but securebanking.myrams.com.au is delegated to securebanking.myrams.gslb1.myrams.com.au and securebanking.myrams.gslb2.myrams.com.au. These servers appear to be limited to IPv4-only and UDP-only. Otherwise, they reply as I’d expect:

$ for ns in securebanking.myrams.gslb{1,2}.myrams.com.au; do kdig "@${ns}" securebanking.myrams.com.au aaaa; done
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 718
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 23:00:18 AEDT
;; From [email protected](UDP) in 15.9 ms
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8905
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 23:00:18 AEDT
;; From [email protected](UDP) in 16.5 ms

I’ve provided the following as requested in the Read Me First post.

  1. Cloudflare’s diagnostic tool results:
  1. Query against Cloudflare’s Public DNS, showing the SERVFAIL:
$ for ns in 1.1.1.1 1.0.0.1 2606:4700:4700::{1111,1001}; do kdig "@${ns}" securebanking.myrams.com.au aaaa; dig "@${ns}" +short id.server chaos txt; done
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 48063
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:35:27 AEDT
;; From [email protected](UDP) in 25.5 ms
"SYD"
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 1639
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:35:27 AEDT
;; From [email protected](UDP) in 15.9 ms
"SYD"
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 21681
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:35:27 AEDT
;; From 2606:4700:4700::[email protected](UDP) in 163.7 ms
"BNE"
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 62361
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:35:27 AEDT
;; From 2606:4700:4700::[email protected](UDP) in 31.1 ms
"BNE"
  1. Query against Google’s Public DNS, showing the expected NOERROR.
$ for ns in 8.8.8.8 8.8.4.4 2001:4860:4860::{8888,8844}; do kdig securebanking.myrams.com.au aaaa "@${ns}"; done
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 12839
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:37:51 AEDT
;; From [email protected](UDP) in 24.5 ms
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 34598
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:37:51 AEDT
;; From [email protected](UDP) in 21.4 ms
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8444
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:37:52 AEDT
;; From 2001:4860:4860::[email protected](UDP) in 22.8 ms
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24836
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; securebanking.myrams.com.au.         IN      AAAA

;; Received 45 B
;; Time 2021-10-18 22:37:52 AEDT
;; From 2001:4860:4860::[email protected](UDP) in 15.5 ms
  1. Information about your network block , aka my IP addresses:
$ kdig -4 +short @ns3.cloudflare.com whoami.cloudflare.com txt
"58.84.147.177"
$ kdig -6 +short @ns3.cloudflare.com whoami.cloudflare.com txt
"2001:4479:1001:2000:216:3eff:fe40:1b8c"
  1. DNS Viz link (shows that leaf, load balancing nameservers are not reachable over TCP):

https://dnsviz.net/d/securebanking.myrams.com.au/dnssec/

I suppose it’s up to the resolver to either return a SERVFAIL or empty response when the origin DNS server does not reply. Knot resolver v5.4.1 returns NOERROR with an AAAA request to securebanking.myrams.com.au, Unbound v1.13.2 returns a SERVFAIL.

On your dual-stack connection, does the website fail to load when using 1.1.1.1? And does it work on 8.8.8.8? If it only fails to load when it receives a SERVFAIL for the AAAA record, I suppose it’s better to return an empty response for Cloudflare.

Yes and yes.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.