Stops doing reverses for a few hours

Tuc tuc at ttsg.com
Tue Oct 7 15:11:52 UTC 2003 

> >	That would make sense, but the first authoritative server is 
> >216.231.111.14, in the same /19 and the second is 209.51.161.86 which is
> >offsite. We have checked all packet filers and allow-query and it should
> >not be a problem. PLUS, the 2nd major time it happened, it stopped almost
> >exactly 4 hours after it started with NO changes anywhere in our 
> >configurations or network.
> 
> Have you tried using a sniffer to see the traffic between the servers when
> this happens?
> 

This is from a tcpdump atr the time it was happening:

14:17:54.112038 216.231.119.95.53 > 198.41.0.4.53: 2760 PTR? 11.113.231.216.in-addr.arpa. (45) (ttl 64, id 5410)
14:17:54.120434 198.41.0.4.53 > 216.231.119.95.53: 2760- q: 11.113.231.216.in-addr.arpa. 0/7/0 (198) (DF) (ttl 52, id 0)
14:17:54.121001 192.55.83.30.53 > 216.231.119.95.53: 25408- q: chia.ARIN.NET. 0/7/7 (271) (DF) (ttl 52, id 0)
14:17:54.121303 192.55.83.30.53 > 216.231.119.95.53: 43090- q: indigo.ARIN.NET. 0/7/7 (273) (DF) (ttl 52, id 0)
14:17:54.121335 192.55.83.30.53 > 216.231.119.95.53: 65208- q: ginseng.ARIN.NET. 0/7/7 (274) (DF) (ttl 52, id 0)
14:17:54.122500 192.55.83.30.53 > 216.231.119.95.53: 6737- q: figwort.ARIN.NET. 0/7/7 (274) (DF) (ttl 52, id 0)
14:17:54.122792 192.55.83.30.53 > 216.231.119.95.53: 152- q: henna.ARIN.NET. 0/7/7 (272) (DF) (ttl 52, id 0)
14:17:54.125389 192.55.83.30.53 > 216.231.119.95.53: 47761- q: dill.ARIN.NET. 0/7/7 (271) (DF) (ttl 52, id 0)
14:17:54.125624 192.55.83.30.53 > 216.231.119.95.53: 12871- q: epazote.ARIN.NET. 0/7/7 (274) (DF) (ttl 52, id 0)

Which is where it appears to hang on that request, nothing further in the 
tcpdump related to that query...when it started working later on, it was 
querying the secondary server for the in-addr and not the primary, not sure
if that's related or just coincidence:

14:43:08.731324 216.231.119.95.53 > 209.51.161.86.53: 398 PTR? 11.113.231.216.in-addr.arpa. (45) (ttl 64, id 52493)
14:43:08.732410 209.51.161.86.53 > 216.231.119.95.53: 398* q: 11.113.231.216.in-addr.arpa. 1/2/2 11.113.231.216.in-addr.arpa. PTR ti
gger.tolim.net. (158) (ttl 60, id 43289)

It appears to be working now in general, not sure if ARIN changed things back 
on their end or what the triggering factor is; if the symptoms re-arise I'll
do more sniffing and try to find out more info.

		Tuc/TTSG Internet Services, Inc.

More information about the bind-users mailing list