Sometimes users get host unknown

David Nolan vitroth+ at cmu.edu
Tue Jun 13 11:50:28 UTC 2006



--On Tuesday, June 13, 2006 11:23:38 +0100 Andrew Watkins 
<andrew at dcs.bbk.ac.uk> wrote:

> lkl.ac.uk.              86400   IN      NS      ns1.lonklab.ac.uk.
> lkl.ac.uk.              86400   IN      NS      mail1.ccs.bbk.ac.uk.
> ;; Received 101 bytes from 128.16.5.32#53(ns1.cs.ucl.ac.uk) in 150 ms
>
> dig: Couldn't find server 'ns1.lonklab.ac.uk': Name or service not known
>
>
> Any pointers?


I recently encountered a similar situation when one of our users was 
complaining about inability to send mail to users in the phila.gov domain. 
In the course of debugging the problem I discovered one small failing of 
'dig +trace ....', it doesn't display or use the glue records provided 
during the DNS traversal.  i.e. ns1.cs.ucl.ac.uk provides both the two NS 
records dig is displaying, and an A record for ns1.lonklab.ac.uk.  You can 
verify this yourself via 'dig ns lkl.ac.uk @ns1.cs.ucl.ac.uk'.  Since dig 
is not using the glue records, in order to do the next hop it relies on 
your resolver library to lookup ns1.lonklab.ac.uk.  I suspect that your 
nameserver is unable to resolve that name.

However I bet if you do the next hop lookup yourself it will work, i.e. 
'dig www.lkl.ac.uk @193.61.29.32'.  In my case this led to the interesting 
discovery that bind was unable to do that query but running dig from a 
shell on my nameserver, directly to the same target nameserver, worked 
fine.  I then started looking at packet traces and discovered that all of 
my nameservers which were having problems talking to phila.gov name servers 
were sending packets from the same udp source port, 32768, and not getting 
any response.  Restarting bind caused it to pick a new source port and the 
queries started working.  Thus I came to the conclusion that phila.gov had 
a firewall that was breaking dns queries to their servers.  I've 
temporarily configured my servers not to send from that port (via 
'avoid-v4-udp-ports {32768;};'), but thats just a hack workaround. 
Unfortunately the phila.gov whois records contain no contact information, 
and I've not received any response to the message I sent to their published 
contact address.  (If anyone has a contact at phila.gov, please pass this & 
my name along...)

I dont' know if your problem will be similar, but hopefully this gives you 
some ideas for debugging...

-David Nolan
 Network Software Designer
 Computing Services
 Carnegie Mellon University




More information about the bind-users mailing list