Help! ICMP unreachable to gateway?

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 6 21:58:55 UTC 2001 

HW wrote:

> Hello,
>
> We have DNS timeout problem for more than two months already.  While testing
> nslookup by "nslookup www.windows.com", we kept getting time out problem for
> the first-time lookup, but if we issue "nslookup www.windows.com" again, we
> will get the answer back.

Offhand, sounds like a networking problem. The response packets appear to be
taking so long to get back to your nameservers that the resolver is timing out
before it gets an answer.

> Today, we noticed that while issuing "nslookup www.windows.com" on our
> external DNS server (gwpki01, which is outside of the firewall), 3 of
> Microsoft's DNS servers will give us "timeout" replies.

What on earth is a "timeout reply"? Either you got a reply or you got a timeout
waiting for a reply. I'm not sure what you're describing here.

> When trying to ping
> these MS DNS servers (ping -vRs one-of-MS-DNS-server), we kept getting "ICMP
> unreachable to gateway ns1" messages.  However, ns1 is our internal DNS
> server (inside out the firewall).

DNS isn't used for routing ICMP packets. Looks like maybe you pinged the wrong
server. Either that, or maybe your reverse DNS is screwed up and so ping is
incorrectly reverse-resolving the address of the Microsoft server to ns1.

Why do you think ping would be a useful diagnostic anyway? Many routers and
firewalls block ICMP for security reasons. If you want to test whether a
particular DNS server is answering your DNS queries, the best thing is to make
DNS queries to that server. If you want more low-level information on the
transaction, run a sniffer of some sort and look at the packets.

> Why ping will try to reach a DNS server inside of the firewall?
> (/etc/resolv.conf listed gwpki01 and gwpki02, both external DNS servers are
> the DNS servers).
>
> I assume if we can figure out this problem, maybe it can lead us to solve
> our long-time DNS timeout issue.

I think maybe you're headed on the wrong path. Is "www.windows.com" the
*only* name you're having this problem with? If you're having problems with
other, non-Microsoft-related names, chances are it's not just an isolated
problem talking to Microsoft's nameservers. I *would* try to get to the bottom
of why ping is misreporting its results. But as I said above, this is likely to
be either operator error, or a problem with your reverse DNS. It's probably not
going to help you solve your general problem with regular *forward* name
resolution.


- Kevin

More information about the bind-users mailing list