trouble with dns
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Mon Feb 17 05:02:59 UTC 2003
> Me wrote:
> > Greetings,
> >
> > I have a linux machine with bind and all seems fine locally. I can do
> > nslookups, dig, host, all fine, but the windows machines on the lan
> > cannot use it. Here are the error messages in the linux logfiles.
> >
> >
> > client 192.168.0.206#1025: error sending response: host unreachable:
> > 4 Time(s)
> > client 192.168.0.206#1478: error sending response: host unreachable:
> > 4 Time(s)
> > client 192.168.0.206#1481: error sending response: host unreachable:
> > 4 Time(s)
> > .............
> >
> > the 192.168.0.206 is one of the windows machines on the lan, the log
> > file shows similar errors for all the other windows machines as well...
> >
> > I'm not sure were to start... Please Help :)
> >
> > rick
>
>
> Rick,
>
> I've been having this same problem since I upgraded BIND last spring
> from what ships with Red Hat 7.1 to one of the errata RPMs. I never saw
> this message before that; but I've seen a lot of it since.
>
> I've asked before about it and most of the responses were (1) you have
> a route problem or (2) you have a firewall problem. I knew those
> weren't the case because (1) it happened between my DNS and hosts on the
> same subnet and (2) I disabled firewalling on both ends.
>
> The problem has never happened that I can tell on the DNS box that I
> use only internally, which is singled-homed (which is to say it has only
> one NIC and only one IP on that NIC). My other 2 machines are
> dual-homed, but one of the interfaces is only for management and no
> clients point to those management interfaces for DNS.
>
> Even though I've had this problem for a while, I never have complaints
> about DNS being slow or not answering. Since I wasn't satisfied with
> most of the answers I got earlier, I recently decided to do run tcpdump
> on both ends (which is not always possible, I know, but I was able to do
> so on a few boxen) and do some more detailed investigating. Here are my
> findings and opinions.
>
> First, my general observations:
> 1. when the problem occurs, it is generally with the same half dozen or
so hosts; some are Windows, others Linux
> 2. in every case so far, the client sends out a request, then, 10
> seconds later it sends out a 2nd identical request (same source port, as
> well)
> 3. in every case, the server responds, but usually 60 seconds or more
> after the original query
> 4. in every case so far, the server's answer has been SERVFAIL or
> NXDOMAIN; it SEEMS like it doesn't happen when the server responds
> quickly and with a positive answer; this also only happens when my
> server has to do recursion and get an answer about a domain or IP it
> doesn't serve out
> 5. the client then sends an 'icmp port unreachable' back to the server
> 6. the named daemon, then, logs that in /var/log/messages
>
>
> Here, then, is an excerpt from the log file at the time the error
> occurred... (IPs masked)
> Feb 16 04:01:41 dns2 named[26153]: client client.IP#38766: error sending
> response: host unreachable
>
> Here is what tcpdump showed on the client end for that port # and time
> stamp...
> 04:00:11.487669 client.IP.38766 > server.IP.53: 40480+ PTR?
> 21.180.139.216.in-addr.arpa. (45) (DF)
> 04:00:21.506507 client.IP.38766 > server.IP.53: 40480+ PTR?
> 21.180.139.216.in-addr.arpa. (45) (DF)
> 04:01:41.527446 server.IP.53 > client.IP.38766: 40480 ServFail 0/0/0
> (45) (DF)
> 04:01:41.527472 client.IP > server.IP: icmp: client.IP udp port 38766
> unreachable [tos 0xc0]
>
> Server side tcpdump was identical to client side.
>
> My thoughts...
> 1. this seems limited to the negative answers possibly because the
> server has to wait so long to get an answer
> 2. the client sends 2 requests because it hasn't gotten its first answer
> within 10 seconds
> 3. is there some way I can tell my dns to wait less time for its answers
> so it doesn't have to wait so long to respond?
> 4. I'm going to keep watching this to see if it ever happens on a
> positive answer; I somehow doubt it will
> 5. at the end of the day, it doesn't seem to hurt performance but it
> sure is a nuisance
>
> Any thoughts?
> --Brian C.
It sounds like the kernel's not correctly handling the
setsockopt(SO_BSDCOMPAT). This option stops the kernel
returning error messages for port unreachable on unconnected
UDP sockets. Under the BSD socket API these are only
returned on connected sockets.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list