FW: Periodic lookup failures

Tony Davis Tony.Davis at voca.com
Thu Jul 21 14:36:36 UTC 2005 

Dear List,
 
I sent the attached email last week. Jim and Mark kindly replied
suggesting that the problem was most likely related to firewall and/or
NAT issues. I have therefore been concentrating on these areas. When we
have the problem I have been snooping the outgoing network interface and
we have run sniffers both sides of the firewall. Although we have made
some progress we still haven't cracked the issue. We seem to be seeing
three issues:
 
1. Some replies appear to be blocked by the firewall
2. Some replies appear to be blocked or incorrectly redirected by the
Content Sensitive Switch
3. We seem to be doing unnecessary lookups to the root servers
 
Strangely, all the blocked and missing replies seem to be ones that were
made to the root servers. 
 
Regarding the unnecessary root server lookups, maybe someone can explain
the following mystery to me. 
 
The set up we have is two nameservers in the same DMZ, a master and
slave. External addresses are resolved by querying out via the internet.
 
Today we had our intermittent problem. I selected some obscure URLs to
lookup that wouldn't be cached. On one server I did the lookup for a
.com URL. h.gtld-servers.net server immediately responded back with the
authoritative name servers for the domain and  additional records
conatining the IP addresses of the nameservers. Our DNS server appears
to ignore the IP addresses supplied and goes straight to the root
servers querying the addresses of the authoritative nameservers. No
reply is recieved by our server (although a reply is received from the
internet) from any of the root servers it queries so the lookup fails.
 
On our slave DNS server I do the same thing. Again h.gtld-servers.net
responds with the authoritative nameservers along with their addresses.
This time the DNS server goes straight to the authoritative nameserver
using the IP addresses supplied and the URL is resolved.
 
My question is why is one of the nameservers apparently ignoring the IP
addresses supplied and going straight to the root servers to resolve
them?
 
Also, if any one has any theories as to why the root servers may be
blocked (and this isn't consistent, some are blocked, others aren't),
they would be welcome. Just to clarify, both servers are using the same
CSS and firewall.
 
Thanks
 
Tony

________________________________

From: Tony Davis 
Sent: 14 July 2005 12:04
To: 'bind-users at isc.org'
Subject: FW: Periodic lookup failures


Dear bind experts,
 
For a month or so now we've been having an intermittent problem whereby
one of our DNS servers (not always the same one) will fail to resolve
external addresses. We've tried using both forwarders and having a
db.cache file so the root servers are queried and it's made no
difference. When the problem occurs the lookups timeout.
 
Initially we were using bind 8.3.4 but I tried upgrading to 8.4.6 in
case it was some kind of bug. This is running on Solaris 8.
 
On the face of it the problem appears to be a DNS cache issue as when
named is restarted, everything springs back to life. Also, one time when
we were investigating the problem, the cache cleanup routine ran and DNS
started working again. However, when I snooped the network interface
during the problem, queries appeared to be sent out but I couldn't see
any reply packets. All very strange.
 
I've been trying to think what the problem may be, an invalid entry in
the cache perhaps? I was also wondering whether it may be some kind of
memory issue although there's always plenty of free memory.
 
Anyway, if anyone has any suggestions, they would be most welcome.
 
Thanks
 
Tony 


*****************************************************

    You can find us at www.voca.com

*****************************************************
This communication is confidential and intended for 
the exclusive use of the addressee only. You should 
not disclose its contents to any other person.
If you are not the intended recipient please notify 
the sender named above immediately.

Registered in England, No 1023742,
Registered Office: Voca Limited
Drake House, Three Rivers Court,
Homestead Road, Rickmansworth,
Hertfordshire, WD3 1FX

More information about the bind-users mailing list