is DNS reliable ?

Kevin Darcy kcd at daimlerchrysler.com
Wed Jan 5 01:52:20 UTC 2000


Dariusz Zmokly wrote:

> hi !
>
> I have dns server with some virtual domains. Sometimes it is impossible
> to get dns answer for some zone from outside. So I wrote a script
> doing nslookup to six primary servers for Poland (pl.). This script
> was run hourly and tried to get addresses of all my domains from these
> dns servers.
>
> Well, I got strange results. 3 of 6 servers works as I thought they would
> work - show the same results as my local dns.
>
> But another 3 servers works more or less stochastic. Say, at 21:00
> server A says "can't find www.duli.pl: Non-existent host/domain"
>
> After an hour I got another answer and this time that server gives correct
> output.
>
> So I wonder if negative answers could be not reliable ? If server can't
> find information about particular domain in some amount of time would
> it send answer that this domain doesn't exist ? Or mayby I have some
> misconfiguration of dns here ?

Nslookup isn't good for this sort of thing. It often reports "no such
domain" instead of "server failed" because if it gets a SERVFAIL (server
failure, possibly transient) on its initial query, by default it generates
additional queries in accordance with its search algorithm, i.e. adding the
default domain and/or using the searchlist. These additional queries will
most likely receive NXDOMAIN (no such name) errors. Then, once the search
algorithm runs its course, nslookup reports the most recent error, i.e.
NXDOMAIN, back to the user, even though the original query got a SERVFAIL.
You can disable nslookup's search behavior by appending a "." to the query,
i.e. "www.duli.pl.", or by specifying the -nosearch option. Or, better yet,
use dig instead of nslookup. Any of these steps should allow you to
distinguish SERVFAIL answers from NXDOMAIN ones. This will tell you whether
there is something chronically wrong with the .pl servers, or whether they
are just getting transient errors trying to resolve names in your domains.

As for why the .pl servers might be intermittently return SERVFAIL when
trying to query your domains, I don't know for sure, but I'd suspect that
they are occasionally having trouble contacting the authoritative servers for
those domains. If it is a network connectivity problem, then it'll be hard to
troubleshoot using your current methodology, since the answers are being
cached by the .pl servers and the records have somewhat high TTL values
(www.duli.pl's TTL, for instance, is set to a day). Querying 6 servers every
hour, with a TTL of a day, at any given time they are most likely all
answering from cached data. To troubleshoot intermittent query failures, it
might make more sense to perform these queries from an external source
directly to the authoritative servers, instead of going through caching
nameservers.

If you do determine that you are having network connectivity problems, and
you can't fix the root cause, you may want to consider setting up more slaves
that just the 1 you have currently -- on other networks, perhaps in different
parts of the country or in the world -- in order to improve the availability
of your DNS data.


- Kevin




More information about the bind-users mailing list