DNS Problems - Need to get it working.

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Sun Jun 20 08:03:56 UTC 2004 

Spencer Yost <syost at triad.rr.com> wrote:
> Sorry if this has been discussed, but my problem is a bit vague and
> shapeless and searching the archives proved difficult.

> I am in the midst of creating a new authoritative nameserver for severa=
l
> domains.   I got the latest BIND (9.3.0rc1)and had no trouble building =
and
> installing.  Configuring seemed to be a snap (I was running 9.1 on the =
old
> machine so nothing much was different).   I ran DNSWALK to confirm stuf=
f
> and everything is AOK.   Doing a nslookup with "set debug" reveals DNS =
info
> on the Internet is correct for my server and domains.

> Sound good?   Not quite.

> Every computer that tries to use this new name server as a resolver can=
 NOT
> resolve any domains.  If I am logged in locally to the server  I can
> resolve anything.  No one on the Internet can find any of my
> hostname/domains either.  (ie can't find www.yhimc.com).   Turning up/O=
N
> debugging produces nothing in the log files except success messages fro=
m
> startup and me logged onto the DNS server doing lookups.

> As an example, I host yhimc.com.   The new DNS server is
> heavyiron.atis.net.  I can do a nslookup/dig on any machine on my netwo=
rk
> that uses heavyiron.atis.net as a DNS server and can NOT resolve
> www.yhimc.com or any other domain.  Likewise John Doe on his machine an=
d
> ISP across the world can not  resolve www.yhimc.com. Logging on to the
> server and doing a query DOES resolve it just fine though.

> Clues/Hints/Weird Observations:

> - DNSWALK likes everything

> - Statfiles show no requests(should be getting hundreds but only have a
> handful)

> - Message everyone gets is SERVFAIL

> - If anyone runs nslookup and types server <heavyiron IP  address> and =
then
> does his lookup, he gets a SERVFAIL also.

> - My server acts like it doesn't see any request that doesn't originate
> from localhost(nothing in log files, stat files, etc).

> - Using zone and conf files that are in production in BIND 9.1.   I jus=
t
> changed IP addresses and few little odds and ends like that.

> - The old/current name server is still running and serving up info to a=
ny
> computer that wants it.

> - NS records at the registrar were changed 36 hours ago and because mos=
t
> users do NOT seem to be getting the old information found at the old se=
rver
> and are getting errors instead, I assume the DNS/NS information has
> propagated.

> Thanks in advance for any help you can provide,

> Spencer Yost

The zone yhimc.com. is slightly broken,
it's delegated to :
yhimc.com.              172800  IN      NS      heavyiron.atis.net.
yhimc.com.              172800  IN      NS      ns2-auth.sprintlink.net.
 but "ns2-auth.sprintlink.net." is lame

the "Negative-cache TTL" is larger then your default TTL

Those faults should not however give the symptoms you have given. Asking=20
heavyiron.atis.net. just about any query results in an answer ( you might
prevent outsiders by "no-recursion")

Are your clients correct configured ? Are firewall-filters obstructing ?


--=20
Peter H=E5kanson        =20
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out=
,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list