Secondary fails to respond to queries
Robert Gahl
bgahl at bawcsa.org
Wed Feb 19 19:11:41 UTC 2003
At 06:37 PM 2/19/2003 +0000, Simon Waters wrote:
> > The problem is that while it will do what it needs to resolve
>requests that
> > originate on the machine, it is "refusing" to respond to
>requests made on
> > it from other hardware in the office. Here is the named.conf
>file from the
> > secondary DNS server:
>
>What query is being directed at 192.168.254.11
>- From which IP address?
192.168.254.107 (but, it can be any address w/i the 254 network)
>How does it fail, can you show output from "dig" or similar.
Regretfully, I only have nslookup on my PC, but here is it's output looking
at flame (the primary) and then fire (the secondary/slave):
> server 192.168.254.1
Default Server: [192.168.254.1]
Address: 192.168.254.1
> www.lycos.com
Server: [192.168.254.1]
Address: 192.168.254.1
Non-authoritative answer:
Name: www.lycos.com.akadns.net
Address: 209.202.216.27
Aliases: www.lycos.com
> server 192.168.254.11
Default Server: fire.fireclick.com
Address: 192.168.254.11
> www.lycos.com
Server: fire.fireclick.com
Address: 192.168.254.11
*** fire.fireclick.com can't find www.lycos.com: Query refused
>
Logging onto fire itself, I get:
[bgahl at fire bgahl]$ dig www.lycos.com
; <<>> DiG 9.2.0rc9 <<>> www.lycos.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59319
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 12, ADDITIONAL: 0
;; QUESTION SECTION:
;www.lycos.com. IN A
;; ANSWER SECTION:
www.lycos.com. 900 IN CNAME www.lycos.com.akadns.net.
www.lycos.com.akadns.net. 300 IN A 209.202.216.27
;; AUTHORITY SECTION:
akadns.net. 172800 IN NS ZA.akadns.net.
akadns.net. 172800 IN NS ZC.akadns.net.
akadns.net. 172800 IN NS ZD.akadns.net.
akadns.net. 172800 IN NS ZE.akadns.net.
akadns.net. 172800 IN NS ZF.akadns.net.
akadns.net. 172800 IN NS ZH.akadns.net.
akadns.net. 172800 IN NS USE2.AKAM.net.
akadns.net. 172800 IN NS USE3.AKAM.net.
akadns.net. 172800 IN NS USE4.AKAM.net.
akadns.net. 172800 IN NS USW5.AKAM.net.
akadns.net. 172800 IN NS NS1-93.AKAM.net.
akadns.net. 172800 IN NS NS1-159.AKAM.net.
;; Query time: 816 msec
;; SERVER: 192.168.254.11#53(192.168.254.11)
;; WHEN: Wed Feb 19 11:08:15 2003
;; MSG SIZE rcvd: 311
>What do "netstat -an | grep 53" and "netstat -in" show on
>server. I'm looking for the obvious typo first.
[bgahl at fire bgahl]$ netstat -an | grep 53
tcp 0 0
127.0.0.1:953 0.0.0.0:* LISTEN
udp 0 0
0.0.0.0:53 0.0.0.0:*
udp 0 0
192.168.254.11:53 0.0.0.0:*
udp 0 0
127.0.0.1:53 0.0.0.0:*
unix 0 [ ] DGRAM 853
[bgahl at fire bgahl]$ netstat -in
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:50:DA:8F:92:89
inet addr:192.168.254.11 Bcast:192.168.254.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7443564 errors:0 dropped:0 overruns:0 frame:0
TX packets:11364278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:97253 errors:0 dropped:0 overruns:0 frame:0
TX packets:97253 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
>I shy away from "views", and I wouldn't use one merely to hide
>the DNS version number, I'd either drop in a phone number or
>other contact details using a "version" directive, or mellow out
>and let everyone read it. But then I prefer to keep the IP level
>restrictions in the routers and firewalls where possible.
There was a reason for views at one point, but I can't remember what they
were (chagrin) :(
>I trust it is 9.2.1 or 9.2.2rc1.
[bgahl at fire bgahl]$ /usr/sbin/named -v
BIND 9.2.0rc9
I can do an upgrade in pretty quick order, if needed.
===
Bob Gahl Bicycle (Ryan Vanguard) Mobile || @
ARPA/Internet: bgahl at bawcsa.org || !_ \
URL: http://www.bawcsa.org/bgahl/ || (*)-~--+--(*)
"Sahn joong moe low ful how jee yah ching wong" - "When the
mountain has no tigers, the monkey will also declare himself
king." Chinese Proverb
More information about the bind-users
mailing list