Bind problems of a beginner

Mathias Körber mathias at koerber.org
Fri Jan 19 03:24:07 UTC 2001


The realproblem here seems to be that both advertised
nameservers for condon.com are located in the same
network (judging from their IP address), which results in
DNS problems with any  failure of the connectivity to that
network.

Even better would be a nameserver far far away, so that routing problems
to your ISP don't affect the visibility of your zone.

One scenario in which the described mailproblem could happen is
that
	- connectivity between your netwrk to the receiving mailserver
	  is OK (as you manage to get an SMTP connection to them)
	- the remote mailserver is configured to query a DNS server
	  located elsewhere (or forwards to such one)
	- asymmetric routing and some routing problems stop that nameserver
	  from querying the nameserver in your network.

There are other scenarios where such problems could occur...

You should really have at least one secondary NS *outside* your network
(eg at your ISP). See RFC2182 Section 3.1 for more details.


rgds

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Kevin Darcy
> Sent: Friday, January 19, 2001 06:16
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: Bind problems of a beginner
>=20
>=20
>=20
> Tom Condon wrote:
>=20
> > ns2.condon.com is in fact down, but I doubt that I am getting that =
much
> > traffic.  Also, ns1.condon.com is quite a fast machine.  I do =
remember
> > reading somewhere that mailserver's request for a domain lookup can =
time
> > out too quickly.  Is this correct?
>=20
> Yes, I think that was a major reason why sendmail added the=20
> ability to tune
> resolver timeouts in 8.10(.1?). But you can't make everybody tune =
and/or
> upgrade their mail servers, so in the meantime perhaps you should add =
more
> nameservers so that the failure of 1 won't impact your ability to=20
> send mail so
> severely.
>=20
>=20
> - Kevin
>=20
> >
> >
> > In article <945k28$nri at pub3.rc.vix.com>, Kevin Darcy
> > <kcd at daimlerchrysler.com> wrote:
> >
> > > Well, ns2.condon.com is in the condon.com delegations but you're =
not
> > > advertising it in your domain's NS records and it doesn't appear =
to be
> > > responding. Perhaps queries are timing out as nameservers try the =
dead
> >
> > > nameserver, followed by ns1.condon.com, which is perhaps getting
> > > overloaded at
> > > times because it's doing twice as much DNS traffic as it should be =
(?)
> > >
> > >
> > > - Kevin
> > >
> > > Tom Condon wrote:
> > >
> > > > In article <945ftp$mjc at pub3.rc.vix.com>, Kevin Darcy
> > > > <kcd at daimlerchrysler.com> wrote:
> > > >
> > > > > Modern versions of sendmail check the domain name of the=20
> sender as an
> > > > > anti-spam measure. It's not a "problem" of sendmail; rather, a
> > > > > feature.
> > > > >
> > > > > Note that the lookup sendmail would be doing initially is an =
MX
> > > > > record
> > > > > lookup. Is that what you tested? Only if the MX lookup=20
> failed would
> > > > > sendmail issue an A record lookup (the default record type for
> > > > > nslookup).
> > > > >
> > > > > Providing the *real* domain name would greatly assist in
> > > > > troubleshooting
> > > > > your problem.
> > > > >
> > > >
> > > > the domain is "condon.com"
> > > >
> > > > --
> > > > Thomas P. Condon
> > > > Condon Consulting Services, Inc.
> > > > 635 Tennessee Street #306
> > > > San Francisco, CA 94107
> > > > 415-431-9949
> > >
> > >
>=20
>=20
>=20
>=20
>=20




More information about the bind-users mailing list