Can't resolve, everything else is fine

phn at phn at
Tue Dec 3 18:02:22 UTC 2002

Paul Roberts <red3kgto at> wrote:

> This is very weird. I'm running BIND 9.2.1 on Solaris 8 and have a
> caching only server on my internet DMZ. I can resolve pretty much
> everything I need, apart from any records for I can see
> the NS records in the cache but my server isn't getting
> any response when it tries to query these servers.

> I've read a lot in here about EDNS, but I've tried switching it off
> and also using dig with and without EDNS, and neither work.

> The queries are going out through Checkpoint FW-1 (I can see them in
> the log).

> I have got around the problem by setting up a conditional forwarding
> statement that just forwards any queries out to my ISP DNS
> servers, and this seems to work, but it's a bit of a bodge as I'd
> rather have my server use the internet roots.

> Anyone got any ideas? Here's what I get:

Whats that checkpoint doing with your packets ?

I can get with bind-9.2.1 + openBSD 
ns:peter {101} dig mx

; <<>> DiG 9.2.1 <<>> mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55080
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 10

;                   IN      MX

;; ANSWER SECTION:            3560    IN      MX      5            3560    IN      MX      5            3560    IN      MX      5            3560    IN      MX      5

;; AUTHORITY SECTION:            3560    IN      NS            3560    IN      NS            3560    IN      NS            3560    IN      NS

;; ADDITIONAL SECTION:        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A        3560    IN      A

;; Query time: 144 msec
;; WHEN: Tue Dec  3 18:56:17 2002
;; MSG SIZE  rcvd: 341

Try sniffing outside the fw-1 and find out why it's dropping it.

> Regards,

> Paul Roberts
> DNS Architect - Core Network Design
> Hutchison3G

Nice, i have a meeting with them tomorrow ...

Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list