problem with resolving SOME EXTERNAL domains

Ronan Flood ronan at noc.ulcc.ac.uk
Mon Jun 13 15:26:56 UTC 2005 

<enesz at bih.net.ba> wrote:

> After flushing DNS cache with rndc flush, i tried to resolve with IP
> adresses of navy.mil DNS servers, like this:

Your local cache should have no affect on these tests, but no matter.

> # ./dig @138.180.5.138 usno.navy.mil. a +norec
> # ./dig @205.56.138.34 usno.navy.mil. a +norec
> # ./dig @205.56.150.18 usno.navy.mil. a +norec
> # ./dig @138.143.200.2 usno.navy.mil. a +norec
> # ./dig @192.245.206.2 usno.navy.mil. a +norec

[snip all timing out]

> As you can see, NOTHING again.
>  
> Is this a network problem, or..?
> Possible network problems on communication with root DNS servers?

Nothing to do with the root servers, as you are contacting the
navy.mil servers directly by IP address.  Might be a network problem.
Can you try those tests again over TCP: 

dig @138.180.5.138 usno.navy.mil. a +norec +vc

and the same for the others.

How far does a traceroute get?  Here are the first two from here

% traceroute -n 138.180.5.138
traceroute to 138.180.5.138 (138.180.5.138), 30 hops max, 40 byte packets
 1  128.86.16.1  0.687 ms  0.373 ms  0.360 ms
 2  128.86.1.43  0.377 ms  0.293 ms  0.290 ms
 3  146.97.35.5  0.630 ms  0.555 ms  0.551 ms
 4  146.97.33.34  0.947 ms  0.898 ms  0.883 ms
 5  146.97.35.226  0.939 ms  0.843 ms  0.866 ms
 6  213.206.159.101  0.946 ms  1.028 ms  0.932 ms
 7  213.206.128.97  1.205 ms  1.197 ms  1.231 ms
 8  213.206.129.70  8.406 ms  8.344 ms  8.356 ms
 9  213.206.129.79  25.735 ms  25.657 ms  25.620 ms
10  217.147.128.34  26.438 ms  26.444 ms  26.414 ms
11  217.147.128.41  26.161 ms  26.188 ms  26.282 ms
12  217.147.143.62  46.817 ms  46.692 ms  46.598 ms
13  140.35.3.53  46.751 ms  47.162 ms  46.618 ms
14  198.26.146.58  47.393 ms  47.236 ms  46.975 ms
15  * * *

% traceroute -n 205.56.138.34
traceroute to 205.56.138.34 (205.56.138.34), 30 hops max, 40 byte packets
 1  128.86.16.1  0.814 ms  0.442 ms  0.400 ms
 2  193.63.94.43  0.407 ms  0.307 ms  0.312 ms
 3  146.97.35.5  0.641 ms  0.578 ms  0.568 ms
 4  146.97.33.34  0.947 ms  0.927 ms  0.896 ms
 5  146.97.35.222  1.004 ms  0.876 ms  0.873 ms
 6  213.206.159.101  0.957 ms  0.957 ms  0.929 ms
 7  213.206.128.104  1.041 ms  0.947 ms  0.968 ms
 8  144.232.9.163  68.234 ms  68.266 ms  143.397 ms
 9  144.232.7.106  68.304 ms  68.340 ms  68.395 ms
10  144.232.7.101  68.480 ms  68.258 ms  68.435 ms
11  205.171.1.133  68.129 ms  68.016 ms  68.108 ms
12  205.171.17.69  68.907 ms  68.895 ms  68.935 ms
13  205.171.8.181  83.841 ms  124.754 ms  83.761 ms
14  198.26.99.81  88.764 ms  88.964 ms  88.845 ms
15  33.99.200.2  88.888 ms  89.186 ms  88.958 ms
16  198.25.101.2  116.434 ms  93.305 ms  121.770 ms
17  * * *

I believe the target nameserver is the next hop (15 and 17) in
each case, as a tcptraceroute to port 53 on them indicates that.

> P.S I already sent my named.conf

Yes, I had no relevant comment to make on that.
You probably do not want "query-source address * port 53" unless
you have some definite reason for needing it, and you should
use "allow-recursion" or similar to limit access to your resolver.

-- 
                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)

More information about the bind-users mailing list