dns server error(2) for specific sites (eg www.email.iwon.com)

Tue Oct 10 01:42:35 UTC 2000

> Would appreciate any thoughts on this interesting problem. I am =
running
> a dns server on HPUX10.20. Everything works fine until I try to =
connect
> to some sites like www.email.iwon.com where the client(10.200.200.25)
> sends out a request to the dns server ( 10.100.1.5). The server inturn
> queries a dns server (209.185.253.230) on the internet which replies
> with an ANSWER COUNT of 0. Hence it responds with a server Error (2)

Could you give some more info on your setup? Your nameserver does have
direct access to the Internet (ie a pubblic IP address, either on one
of its own interfaces or statically translated on your NAT router), no?

An example output of the query and answer (use dig) made on the server=20
would be good:

	$ dig www.email.iwon.com a

>=20
> If I manually configure the client to use the above address
> (209.185.253.230) as the dns server the connection fails.

That should fail, as your client uses RFC1918 private IP addresses =
(10.x.x.x)
and thus cannot directly contact any host on the Internet. You will have =
to
have either NAT or use a local nameserver which can see the private and =
the
public network (as your local server should to do)
>=20
> If I use another dns server address on the internet the connection
> works. My question is :
> 1. WHy does this happen ? Where and how does my hp DNS server get this
> internet dns server ip address of 209.185.253.230 from ? THis is not =
in
> the db.cache file !

Sure it is not in the db.cache file. The db.cache file should contain a
list of root-nameservers only, with which your nameserver primes itself.
The first thing it will do is query one of those to find the updated =
list
of root-nameservers for further use.=20

It later gets the nameserver you see as part of the resolution for =
www.email.iwon.com.
You may want to get a copy of the book "DNS and BIND" by Albitz/Lui =
(O'Reilly)
3rd edition [ I hear a 4th edition is coming though], which explains =
this in
good detail.

In fact, that nameserver is one of the two nameservers to whom the =
iwon.com
zone is delegated.

	$ dig iwon.com ns
	;; ANSWER SECTION:
	iwon.com.               1d21h35m48s IN NS  SCA03.AUTH.DNS.EXODUS.NET.
	iwon.com.               1d21h35m48s IN NS  SCA04.AUTH.DNS.EXODUS.NET.

	;; ADDITIONAL SECTION:
	SCA03.AUTH.DNS.EXODUS.NET.  1d17h47m56s IN A  209.185.253.230
	SCA04.AUTH.DNS.EXODUS.NET.  1d17h47m56s IN A  216.32.104.10

> 2. How do I configure my NMS server to use a particular DNS server
> address in the internet that I know is reliable.

If you want to force your NMS server to use a good nameserver for a =
specific zone
only, you could
	a) set up that zone as type forward and point to that known nameserver =
as forwarder.
	   This will only work with BIND-8.2.2-p5 or BIND-9. Note that you run =
the risk that
	   the zone gets moved to a different set of nameservers w/o your =
knowledge and then
	   queries will likely start to fail.
	b) set your own nameserver up as a secondary for that zone and thus =
always have
	   good data on that zone locally available. This however requires the =
administrator of
	   that zone to allow you to obtain the zonetransfer...

If you want to use some other nameserver on the Internet for *all* your =
queries:
	a) DOn't. It is bad form to use someone else's resources, especially =
for continued
	   use without their permission.
	b) You also would not want to use any nameserver faraway from you, as =
it would only increase
	   your resiultion time *and* force many intermediate hops to carry =
your DNS traffic needlessly.
	c) Your ISP might allow you to use their nameserver for resolution =
purposes as part of your
	   contract. Ask them. Then you configure that nameserver as forwarder =
for your NMS server
	   so that all queries go there.

>=20
> A trace is attached ...
>=20
> Thanks,
>=20
> -kartik
>=20
>=20