bind 9.2.1 SERVFAIL driving me nuts

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Dec 16 21:28:10 UTC 2003


> I'm running out of ideas.  I have a 2.4.20 server running bind 9.2.1.
> Actually, I have two servers, one of which is trouble-free, the other
> of which is being a pig.  They are mutual slaves for each other's
> domains.
> 
> When I check the name service on other servers, it appears to be
> working (though the web checkers, like DNSReport, might be going into
> recursion, which gets its answer from server number two, the good one,
> and not server number one, the pig).
> 
> Starting the server shows no errors in the syslog.  Doing very simple
> things like "dig @127.0.0.1 ." results in 
> ; <<>> DiG 9.2.1 <<>> @127.0.0.1 .
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> I have been thinking that the firewall configuration could be the
> problem, but even when I flush all the rules and set all the chains to
> policy "ACCEPT" it still acts the same.  In my firewall rules, I allow
> anybody to connect to port 53 by TCP or UDP.
> 
> "netstat -an"  shows the server listening on all my interfaces
> udp        0      0 67.112.125.92:53        0.0.0.0:*
> udp        0      0 67.112.125.91:53        0.0.0.0:*
> udp        0      0 67.112.125.90:53        0.0.0.0:*
> udp        0      0 172.16.24.1:53          0.0.0.0:*
> udp        0      0 127.0.0.1:53            0.0.0.0:*
> 
> I can't find any problems in my named.conf.  Here's an edited section
> of it:
> =========================================
> options {
> directory "/var/named/";
> auth-nxdomain yes ;
> allow-query { 67.112.125.88/29; localhost; };
> allow-transfer {67.116.23.64/28; localhost;};
> allow-recursion { 127.0.0.1; 67.112.125.88/29; 67.116.23.64/28;
> 172.16.24/24;};
> pid-file "/var/run/named/named.pid";
> listen-on-v6 { none; };
> query-source address * port 53;
> };
> 
> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "zone/db.127.0.0";
>         allow-query {any;};
>         };
> 
> zone "125.112.67.in-addr.arpa" {
>         type master;
>         notify yes;
>         file "zone/db.67.112.125.88:29";
>         allow-query {any;};
>         };
> 
> zone "ponyhome.com" {
>         type master;
>         file "zone/db.ponyhome";
>         notify yes;
>         allow-query {any;};
>         };
> =====================================================
> Here is zone file "db.67.112.125.88:29"
> ============================
> $TTL 3D
> @       IN      SOA     trip.ponyhome.com. root.trip.ponyhome.com.  (
>                                 2003121401      ; Serial
>                                 8H              ; Refresh
>                                 4H              ; Retry
>                                 7D              ; Expire
>                                 3D )            ; Minimum
> 
>                 NS      trip.ponyhome.com.
>                 NS      helios.timension.com.
> 
> 89              PTR     gateway.ponyhome.com.
> 90              PTR     trip.ponyhome.com.
> ==================================
> And here is the forward zone, "db.ponyhome":
> ==================================
> $ORIGIN ponyhome.com.
> $TTL 86400
> @       IN      SOA     trip.ponyhome.com. root.trip.ponyhome.com.  (
>                                 2003121402      ; Serial
>                                 2H      ; Refresh
>                                 1H      ; Retry
>                                 7D      ; Expire
>                                 1D )    ; Minimum TTL
> 
>                 NS      trip.ponyhome.com.
>                 NS      helios.timension.com.
>                 MX      10      trip.ponyhome.com.
>                 MX      20      helios.timension.com.
> 
> @               IN      A       67.112.125.90
> trip            IN      A       67.112.125.90
> gateway         IN      A       67.112.125.89
> ==================================
> 
> It IS responding nicely to all the domains that I have authority for.
> 
> For example:
>  dig @67.112.125.90 wren.ponyhome.com
> 
> ; <<>> DiG 9.2.1 <<>> @67.112.125.90 wren.ponyhome.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33704
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL:
> 1
> 
> ;; QUESTION SECTION:
> ;wren.ponyhome.com.             IN      A
> 
> ;; ANSWER SECTION:
> wren.ponyhome.com.      86400   IN      CNAME   trip.ponyhome.com.
> trip.ponyhome.com.      86400   IN      A       67.112.125.90
> 
> ;; AUTHORITY SECTION:
> ponyhome.com.           86400   IN      NS      helios.timension.com.
> ponyhome.com.           86400   IN      NS      trip.ponyhome.com.
> 
> ;; ADDITIONAL SECTION:
> helios.timension.com.   86400   IN      A       67.116.23.65
> 
> ;; Query time: 2 msec
> ;; SERVER: 67.112.125.90#53(67.112.125.90)
> ;; WHEN: Mon Dec 15 22:28:29 2003
> ;; MSG SIZE  rcvd: 131
> 
> ============================
> But if I try to look up anything not under my authority:
>  dig @67.112.125.90 microsoft.com
> 
> ; <<>> DiG 9.2.1 <<>> @67.112.125.90 microsoft.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16238
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;microsoft.com.                 IN      A
> 
> ;; Query time: 2 msec
> ;; SERVER: 67.112.125.90#53(67.112.125.90)
> ;; WHEN: Mon Dec 15 22:30:49 2003
> ;; MSG SIZE  rcvd: 31
> ==================
> Any suggestions, yelling or pointing out of stupid mistakes would be
> gladly accepted.  I just can't see what I'm doing wrong, here.
> 
> Victor Wren vwren ampersand ponyhome period com
> 

	What do you have in your hints zone?

	As you are using views (your nameserver wouldn't be answering
	the way it is unless you were using views) you really should
	supply more of your configuration expecially the view specific
	options.

	It also looks like you don't have the full /24 (db.67.112.125.88:29)
	I suggest that you look at RFC 2317 and talk to your upstream.
	Claiming authority over a zone that us not yours to claim is
	wrong.

	Also BIND 9.2.1 is old.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list