Secondary fails to respond to queries

Robert Gahl bgahl at bawcsa.org
Wed Feb 19 19:11:41 UTC 2003 

At 06:37 PM 2/19/2003 +0000, Simon Waters wrote:

> > The problem is that while it will do what it needs to resolve
>requests that
> > originate on the machine, it is "refusing" to respond to
>requests made on
> > it from other hardware in the office. Here is the named.conf
>file from the
> > secondary DNS server:
>
>What query is being directed at 192.168.254.11
>- From which IP address?

192.168.254.107 (but, it can be any address w/i the 254 network)

>How does it fail, can you show output from "dig" or similar.

Regretfully, I only have nslookup on my PC, but here is it's output looking 
at flame (the primary) and then fire (the secondary/slave):

 > server 192.168.254.1
Default Server:  [192.168.254.1]
Address:  192.168.254.1

 > www.lycos.com
Server:  [192.168.254.1]
Address:  192.168.254.1

Non-authoritative answer:
Name:    www.lycos.com.akadns.net
Address:  209.202.216.27
Aliases:  www.lycos.com

 > server 192.168.254.11
Default Server:  fire.fireclick.com
Address:  192.168.254.11

 > www.lycos.com
Server:  fire.fireclick.com
Address:  192.168.254.11

*** fire.fireclick.com can't find www.lycos.com: Query refused
 >

Logging onto fire itself, I get:

[bgahl at fire bgahl]$ dig www.lycos.com

; <<>> DiG 9.2.0rc9 <<>> www.lycos.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59319
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 12, ADDITIONAL: 0

;; QUESTION SECTION:
;www.lycos.com.                 IN      A

;; ANSWER SECTION:
www.lycos.com.          900     IN      CNAME   www.lycos.com.akadns.net.
www.lycos.com.akadns.net. 300   IN      A       209.202.216.27

;; AUTHORITY SECTION:
akadns.net.             172800  IN      NS      ZA.akadns.net.
akadns.net.             172800  IN      NS      ZC.akadns.net.
akadns.net.             172800  IN      NS      ZD.akadns.net.
akadns.net.             172800  IN      NS      ZE.akadns.net.
akadns.net.             172800  IN      NS      ZF.akadns.net.
akadns.net.             172800  IN      NS      ZH.akadns.net.
akadns.net.             172800  IN      NS      USE2.AKAM.net.
akadns.net.             172800  IN      NS      USE3.AKAM.net.
akadns.net.             172800  IN      NS      USE4.AKAM.net.
akadns.net.             172800  IN      NS      USW5.AKAM.net.
akadns.net.             172800  IN      NS      NS1-93.AKAM.net.
akadns.net.             172800  IN      NS      NS1-159.AKAM.net.

;; Query time: 816 msec
;; SERVER: 192.168.254.11#53(192.168.254.11)
;; WHEN: Wed Feb 19 11:08:15 2003
;; MSG SIZE  rcvd: 311


>What do "netstat -an | grep 53" and "netstat -in" show on
>server. I'm looking for the obvious typo first.

[bgahl at fire bgahl]$ netstat -an | grep 53
tcp        0      0 
127.0.0.1:953           0.0.0.0:*               LISTEN
udp        0      0 
0.0.0.0:53              0.0.0.0:*
udp        0      0 
192.168.254.11:53       0.0.0.0:*
udp        0      0 
127.0.0.1:53            0.0.0.0:*
unix  0      [ ]         DGRAM                    853

[bgahl at fire bgahl]$ netstat -in
Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:50:DA:8F:92:89
           inet addr:192.168.254.11  Bcast:192.168.254.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:7443564 errors:0 dropped:0 overruns:0 frame:0
           TX packets:11364278 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           Interrupt:5 Base address:0xd000

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           UP LOOPBACK RUNNING  MTU:3924  Metric:1
           RX packets:97253 errors:0 dropped:0 overruns:0 frame:0
           TX packets:97253 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0


>I shy away from "views", and I wouldn't use one merely to hide
>the DNS version number, I'd either drop in a phone number or
>other contact details using a "version" directive, or mellow out
>and let everyone read it. But then I prefer to keep the IP level
>restrictions in the routers and firewalls where possible.

There was a reason for views at one point, but I can't remember what they 
were (chagrin) :(

>I trust it is 9.2.1 or 9.2.2rc1.

[bgahl at fire bgahl]$ /usr/sbin/named -v
BIND 9.2.0rc9

I can do an upgrade in pretty quick order, if needed.


===
Bob Gahl Bicycle (Ryan Vanguard) Mobile ||     @
     ARPA/Internet: bgahl at bawcsa.org     ||  !_ \
    URL: http://www.bawcsa.org/bgahl/    ||  (*)-~--+--(*)
"Sahn joong moe low ful how jee yah ching wong" - "When the
mountain has no tigers, the monkey will also declare himself
king." Chinese Proverb

More information about the bind-users mailing list