[Tag search]

Fixing "unexpected RCODE (SERVFAIL)" and "unexpected RCODE (REFUSED)"

Wednesday 26 January 2011, 18:55

This is another one where I searched the net, the answers I found were very unhelpful, and so I'm posting what worked for me for the benefit of anyone making similar searches.

The problem: new ADSL connection from MTS Allstream, which is the deregulated ghost of the Manitoba telecom monopoly. Works pretty well, except they do that damn misguided "helpful" redirection of failed DNS requests to a search engine, thereby screwing up all non-Web activities that depend on the DNS actually working according to the protocol. They offer opt-out but that doesn't work. So I set up my own caching DNS server and everything seemed fine... except just a few Web sites wouldn't work. Always the same sites; little or no rhyme or reason to which ones they were. Penny Arcade, Weather Underground, the Canada Revenue Agency, and the CBC, were the most annoying examples. The browser would hang, trying to connect, forever.

Digging through the system logs revealed lines like these:

Jan 25 11:34:38 tetsu named[1613]: unexpected RCODE (SERVFAIL) resolving 'art.penny-arcade.com/A/IN': 72.52.2.1#53
Jan 25 11:37:55 tetsu named[1613]: unexpected RCODE (REFUSED) resolving 'cbc.radio-canada.ca/A/IN': 207.164.234.37#53

Searching on the Web produced many people complaining about error messages like these, and the following answers on how to resolve it:

  • "You must be the authoritative server for these domains, and you haven't given BIND the correct path to the zone files." No, I am not the authoritative server for these domains.
  • "You must be the authoritative server for these domains, and someone on the Net is trying to break into your nameserver." No, I really am not the authoritative server for these domains, the failing requests are coming from an authorized user on localhost (namely me), and incoming unauthorized DNS requests would be stopped at the firewall anyway.
  • "The remote authoritative servers for these domains are misconfigured and you must contact the admins and tell them to fix the problem." Yes, I REALLY HAVE THE TIME AND ABILITY TO CONVINCE EVERY ADMINISTRATOR OF A MISCONFIGURED NAMESERVER ON THE ENTIRE INTERNET TO FIX THEIR CONFIGURATIONS BECAUSE THEY WILL ALL LISTEN TO ME! Also, of course, I can contact these administrators by pure mental telepathy, since my computer cannot connect to theirs to send them email.

Clearly, none of these answers was helpful. Here's the actual answer: The MTU on my Ethernet connection was set to the default of 1500. Packets that size cannot pass through the ADSL connection; and to make matters worse, MTS apparently drops ICMP traffic (this could be my fault because it may be happening at the firewall box, which is theirs but was reconfigured by me), so that Path MTU Discovery (which would automatically adjust the setting) doesn't work. It wasn't really anything specific to DNS, but would cause subtle effects in a lot of places; DNS was just the most visible thing failing. Solved by changing my MTU to 1400; there may be some slightly larger number that will work (I'll experiment), but 1500 evidently is too big. It appeared only, but consistently, on a few domains, because those were the ones where the DNS query or its answer (which would generally be consistent per domain) happened to both exceed the ADSL connection's real MTU and not be fragmented anywhere else in the network.

Groping toward connectivity

Wednesday 5 January 2011, 15:28

MTS telephone and DSL up and running. I have to say again that they were a lot easier to deal with than Bell or Execulink. I am typing this on the laptop - just plugged it in and grabbed a DHCP lease and it worked. A little worrying that it hasn't yet asked me to enter any kind of authentication information; I don't know if that means it's the box labelled "Actiontec" (probably a router plus modem, but not labelled as to its function) doing the authentication, or if I'll have to figure out the authentication protocol once the current lease expires.

Normal mail delivery, and things like the chart service, won't resume until I get my main computer unpacked and set up; but at least now I feel comfortable transferring big and sensitive information with the laptop in a way I didn't want to do while I was a guest on my neighbour's wireless. (Thank you, neighbour!)

ETA: Shortly after the MTS installer left, the apartment management put my completed lease papers under my door, and that enabled me to finally go pick up the package that Canada Post has been holding for me since December 31 (I needed the lease to prove I really live here). The package turns out to be a DSL modem from MTS. So now I have two.

ETA: Desktop machine up now. Not networked, and the firewall isn't up yet, so I'm still typing this from the laptop. There was a scary moment there where I couldn't remember my own password on the main user account (it is, naturally, a password used nowhere else, and I hadn't had a chance to use it since taking the machine down in December); but I still had root, and remembered the missing password before I needed to seriously think about setting a new one anyway, so that was okay.

ETA: Bit of a snag here. The firewall machine doesn't want to boot, at all. When power is applied, the power light doesn't come on; neither does the power button work. But the power supply is producing what look like the right voltages, and if there's a USB key inserted, the light on that flashes, so there's definitely some power getting through. It's possible that the bumping and temperature cycling of the move dislodged something and I can fix it by carefully re-seating all connectors. I sure hope that's the issue, because I'm not sure of much else that could cause these symptoms while still being fixable.

Gerard Kennedy on copyright, other issues

Thursday 24 June 2010, 10:42

Last night I attended a meeting called the "Community Council on Federal Issues," hosted by Gerard Kennedy, Liberal Member of Parliament for Parkdale-High Park and my Federal elected representative. I didn't vote for him; never mind whether I would have, I was living in a different city at the time of the last election. Apparently he holds these meetings periodically as a way of keeping in touch with constituents; this one in particular was advertised as having a focus issue of "Locked out? New Federal copyright laws and you," which was what drew my interest. I didn't take notes and don't plan to report on the entire meeting, but will cover a few points of interest to me.

Rogers annoyance

Friday 18 June 2010, 14:34

It turns out that although I thought I was connected to the Net again, all outgoing email from my system was being queued until a few minutes ago, because I use a third-party SMTP provider (for which I pay a fee) rather than trusting any connection provider with my email. Rogers blocks outgoing port 25 connections, in an effort to force their customers to use their servers, presumably as an anti-spam measure. This does not please me at all, especially on top of the DNS problems already noted. A complaint has been filed. Seriously considering telling them to go fuck themselves, never mind that I just paid an installation fee I'd be unlikely to get back.

Back on the air

Wednesday 16 June 2010, 12:01

I'm posting this over the new cablemodem connection. The installation went reasonably well; the installer as such came in and did his job and didn't give me a hard time about not having a consumer-level computer setup. There was an extra guy called the "Inspector" who seemed to thoeretically be there to rate the installer's performance, but actually just spent an hour watching me play Freecol while the installer hooked up the wires. I could have done without that and no doubt the installer could have too, but whatever.

IP connectivity even easier than with the DSL, because the cable modem provides a DHCP lease directly over Ethernet, whereas the DSL I'd been using was PPPoE. But every silver lining has its thorn, and it's probably a good thing I didn't discover this one until after the installer and the inspector left, because there would have been nothing they could do about it and they didn't need to hear my cussing at their bosses.