Can't resolve a particular address

Ian Northeast ian at house-from-hell.demon.co.uk
Fri Aug 29 23:59:08 UTC 2003


Barry Margolin wrote:
> 
> In article <bio9au$1ccu$1 at sf1.isc.org>, None Given <tawitt71 at yahoo.com> wrote:
> >Can anyone help me even start to track down this problem.
> >
> >I have a private network in my house.  I set up a DNS server on
> >OpenBSD 3.1.  I don't remembe what version of bind I have, and don't
> >know how to find it if that matters.
> 
> dig version.bind txt chaos

By default OBSD 3.1 had bind 4 (their modified supposedly more secure
version). I assume that the OP would remember upgrading it. So that
won't work, but "named -v" should. Bind 9 is in the ports and it's easy
to upgrade which I suggest the OP does unless an upgrade to 3.3 is
viable. That comes with bind 9.

> >At any rate, I can not resolve the address www.info.wien.at.  I can
> >reach this destination outside of my network, so it isn't their site.
> >
> >I thought it might be the TLD, and maybe I had my root files messed up
> >or something, but I can resolve other addresses inside that TLD, and
> >can even resolve wien.at.
> 
> www.dnsreport.com says that one of the nameservers for the info.wien.at
> domain is lame.
> 
> babylon.atnet.at is supposed to be a server for the domain, but it doesn't
> appear to have the zone loaded.

But the other one works so that isn't the whole problem. BTW is it
normal for a lame server to answer non-authoritatively and quote itself
as an authority? Just curious.

The other problem seems to be a firewall somewhere in front of the
working nameserver for info.wien.at, ns.info.wien.at, which is dropping
DNS queries from source port 53. Bind 4 uses source port 53. Modern
versions use high source ports by default. If I change a nameserver to
use source port 53 it can't resolve that domain, if I let it default to
high it can.

This sort of thing can take hours to diagnose fully. Someone posted a
little patch to dig which enables the source port to be specified the
other day, I can't remember where but google should provide. This could
be very useful in this situation.

If my diagnosis is correct this firewall is broken. But it's probably
easier for the OP to upgrade to bind 9 than to try to persuade the
firewall's admin to fix it.

Regards, Ian


More information about the bind-users mailing list