External queries fail on BIND 8.3.1

[Kevin Darcy]

Six Wayz wrote:

> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:<aeoc3o$6c13$1 at isrv4.isc.org>...
> > > Thanks again for the reply, Kevin.
> > > I turned on debugging as you suggested.  However, I do not know how > to
> >interpret the results.  Help is most appreciated.  Here are the > results
> >of debugging (Level 1):
> > >
> > > datagram from [127.0.0.1].1805, fd 22, len 25
> > > req: nlookup(isc.org) id 4 type=1 class=1
> > > req: found 'isc.org' as 'org' (cname=0)
> > > findns: No root nameservers for class IN?
> > > ns_req: answer -> [127.0.0.1].1805 fd=22 id=4 size=25 rc=2
> > > prime_cache: priming = 0, root = 0
> > > sysquery: nlookup error on ?
> > >
> > > Obviously, I have queried isc.org.  It seems to me that the problem >
> >lies in the findns procedure.
> >
> >That debug output implies that you don't have forwarding enabled. What does
> >your named.conf look like?
> >
> >
> >- Kevin
> >
> Here is my named.conf file in its entirety:
>
> options {
>         directory "/var/named";
>         dump-file "/var/named/named_dump.db";
>         datasize 2m;
>         statistics-file "/var/named/named.stats";
>
>         listen-on {
>         192.168.0.1;
>         127.0.0.1 ;
>         };
>
>         allow-query {
>         192.168.0.0/24;
>         127.0.0.1;
>         };
>
>         forwarders {
>         24.153.23.66;
>         24.153.22.195;
>         };
>
>         allow-recursion {
>         192.168.0.0/24;
>         127.0.0.1;
>         };
>
>         allow-transfer {
>         none;
>         };
>
>         query-source address * port 53;
> };
>
> logging {
>         file "named.messages";
>         severity debug;
>         };
> };
>
> zone "." {
>         type hint;
>         file "root.hints";
> };
>
> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "pz/127.0.0";
> };
>
> zone "0.168.192.in-addr.arpa" {
>         type master;
>         file "pz/0.168.192";
> };
>
> zone "mydomain.org" {
>         type master;
>         notify no;
>         file "pz/mydomain.org";
> };

Hmmm, you *do* have forwarding enabled, but named isn't using it. The only
thing that comes to mind is that it gave up temporarily on the forwarders
because it previously timed out trying to contact them.

One major difference between your "dig" and the way your name is forwarding
queries is that you've locked named's query source address to 53. Do you need
that for some reason? Maybe this low source port is running afoul of a firewall
rule or something. What happens if you comment that out (and then reload named,
of course)?

Out of curiosity, do you need to use forwarding at all? If you're using it
because you can't talk to Internet nameservers directly, then your forwarding
mode should be "forward only" (as opposed to the default "forward first",
which, by omission, is what you have now). This will allow queries to fail
"properly" when the forwarders are unavailable (as opposed to named beating its
head against the wall trying to contact root servers that are inaccessible).
"Forward first" should only be used when you're using forwarding exclusively as
a performance enhancement.


- Kevin

P.S. I couldn't get any response from your forwarders, but that could easily be
because they blackhole all queries which don't originate on their network...