Problem: no ANSWER section in external queries only

Kevin Darcy kcd at daimlerchrysler.com
Fri Jul 2 23:38:43 UTC 2004 

Your real problem is not the mere absence of an Answer Section (which is 
perfectly valid under some circumstances), but the fact that the 
response is SERVFAIL. The SERVFAIL is mostly likely caused by the fact 
that your NS record (you *must* have a least 2 nameservers, by the way) 
points to a CNAME, which is highly illegal in DNS.

- Kevin
Benton Roberts wrote:

>Hello, BIND experts.
>
>I am having a configuration problem with named which is preventing my 
>nameserver from responding correctly to external queries. I am new to 
>setting up DNS, so please forgive me if I do not provide the correct 
>information for debugging this problem...
>
>I have a server which is currently listening to several public IP 
>addresses. One of these addresses is already serving a named domain, but 
>my machine is not currently acting as the this paricular domain's 
>nameserver -- the company I registered the domain with provides a web 
>page for updating their own DNS server's address records, so I simply 
>pointed the name of my domain to the desired IP address.
>
>Now, I have recently agreed to use another of the public IP addresses to 
>host a different domain, which someone else has registered with a 
>different company. This person gave me the authentication info for 
>administering this new domain (hereafter called "newdomain.net"), 
>through a similar web interface provided by the company with whom he has 
>registered it. However, this interface does not allow me to update the 
>registrar's DNS records -- instead, I'm provided only with a 
>"delegation" form for entering nameserver addresses, not a form for 
>adding actual DNS "A-records". So it seems that I have to setup named 
>and configure it to be authoritative for newdomain.net....
>
>So, like a good Linux user, I started with the instructions in the DNS 
>HowTo <http://www.tldp.org/HOWTO/DNS-HOWTO.html>, and it seems I have 
>everything configured correctly for newdomain.net, except that I'm 
>getting different responses when I query the server externally than when 
>I query it from its own command-line. Specifically, I get no ANSWER or 
>AUTHORITY sections when querying the server from a remote system.
>
>In the config files and output samples that follow, I've subsituted 
>"mydomain.net" for the name of the actual domain I'm trying to get 
>working, and "<MY.PUB.IP.ADDR>" for the IP address I'd like to assign 
>this domain to. So here's the result of trying to resolve 
>www.newdomain.net from a command-prompt on the server itself:
>===========================================
>root at www:/var/named> dig www.newdomain.net
>
>; <<>> DiG 9.2.1 <<>> www.newdomain.net
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26099
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;www.newdomain.net.            IN      A
>
>;; ANSWER SECTION:
>www.newdomain.net.     259200  IN      A       <MY.PUB.IP.ADDR>
>
>;; AUTHORITY SECTION:
>newdomain.net.         259200  IN      NS      ns.newdomain.net.
>
>;; Query time: 2 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Mon Jun 28 18:35:31 2004
>;; MSG SIZE  rcvd: 69
>===========================================
>
>
>Looks fine. I can perform the same query from the same host, only using 
>the IP address that I want the nameserver to listen on...
>===========================================
>root at www:/var/named> dig @<MY.PUB.IP.ADDR> www.newdomain.net
>
>; <<>> DiG 9.2.1 <<>> @<MY.PUB.IP.ADDR> www.newdomain.net
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59824
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;www.newdomain.net.            IN      A
>
>;; ANSWER SECTION:
>www.newdomain.net.     259200  IN      A       <MY.PUB.IP.ADDR>
>
>;; AUTHORITY SECTION:
>newdomain.net.         259200  IN      NS      ns.newdomain.net.
>
>;; Query time: 2 msec
>;; SERVER: <MY.PUB.IP.ADDR>#53(<MY.PUB.IP.ADDR>)
>;; WHEN: Mon Jun 28 18:40:37 2004
>;; MSG SIZE  rcvd: 69
>==========================================
>
>
>OK, that works fine too. But here's the response I get when running the 
>same command from another system:
>===========================================
>root at other_host:~> dig @<MY.PUB.IP.ADDR> www.newdomain.net
>
>; <<>> DiG 9.2.2 <<>> @<MY.PUB.IP.ADDR> www.newdomain.net
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26930
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;www.newdomain.net.            IN      A
>
>;; Query time: 165 msec
>;; SERVER: <MY.PUB.IP.ADDR>#53(<MY.PUB.IP.ADDR>)
>;; WHEN: Mon Jun 28 18:46:10 2004
>;; MSG SIZE  rcvd: 36
>===========================================
>
>A perfectly legitimate server response, but with no answer section! This 
>confuses me. It's not a networking problem, because the server is 
>responding just fine (I can even telnet to port 53). It doesn't appear 
>to be an access restrictions problem, because no permissions error is 
>reported in the log file (just as a test, I briefly enabled access 
>control and verified the expected behavior: a lookup failure on the 
>client and a "query denied" error message in the server log). So what 
>could be causing this behavior?
>
>Here's the two config files I believe are relevant...
>Contents of /var/named/newdomain.net:
>===========================================
>;
>; Zone file for newdomain.net
>;
>$TTL 3D
>@       IN      SOA     www.newdomain.net. admin.newdomain.net. (
>                         199802151       ; serial, todays date + todays 
>serial #
>                         8H              ; refresh, seconds
>                         2H              ; retry, seconds
>                         4W              ; expire, seconds
>                         1D )            ; minimum, seconds
>;
>                 TXT     "newdomain.net"
>                 NS      ns              ; Inet Address of name server
>                 MX      10 mail         ; Primary Mail Exchanger
>
>
>localhost       A       127.0.0.1
>
>
>www             A       <MY.PUB.IP.ADDR>
>                 MX      10 mail
>
>
>ns              CNAME   www
>mail            CNAME   www
>ftp             CNAME   www
>gw              CNAME   www
>===========================================
>
>
>
>Contents of /etc/named.conf:
>===========================================
>options {
>         directory "/var/named";
>};
>
>controls {
>         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>};
>zone "." IN {
>         type hint;
>         file "named.ca";
>};
>
>zone "localhost" IN {
>         type master;
>         file "localhost.zone";
>         allow-update { none; };
>};
>
>zone "0.0.127.in-addr.arpa" IN {
>         type master;
>         file "named.local";
>         allow-update { none; };
>};
>
>//      my new domain
>zone "newdomain.net" {
>        type master;
>         notify no;
>         file "newdomain.net";
>};
>
>// Reverse DNS lookups
>zone "<ADDR.IP.PUB>.in-addr.arpa" {
>         type master;
>         notify no;
>         file "<ADDR.IP.PUB">;
>};
>
>include "/etc/rndc.key";
>===========================================
>
>Any ideas about how to attack this problem will be gratefully accepted. 
>For example, how can I get some more useful debugging information about 
>the processing of the non-working requests?
>
>Thanks in advance,
>-benton
>-------------
>Benton Roberts
>Application / Support Engineer, Orad
>tel:917.861.7462
>mailto:bentonr at orad-ny.com
>
>
>
>
>
>
>  
>

More information about the bind-users mailing list