Queries to a positively cached zone are failing (phila.gov)

Greg Chavez greg.chavez at gmail.com
Tue Mar 14 23:18:15 UTC 2006


On 3/14/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> In article <dv72aj$17ac$1 at sf1.isc.org>,
>  "Greg Chavez" <greg.chavez at gmail.com> wrote:
>
> > We are experiencing a total phila.gov blackout right now.  All queries
> > for it time out.  But this time, we have both of phila.gov's name
> > servers in our cache with glue:
> >
> > # grep -i phila.gov named_dump.db
> > phila.GOV.              85957   NS      DNS.phila.gov.
> >                         85957   NS      DNS2.phila.gov.
> > DNS.phila.GOV.          85957   A       170.115.249.10
> > DNS2.phila.GOV.         85957   A       170.115.249.11
> >
> > If I do digs @ either NS IP, I get answers. Digs using my forwarders
> > time out.  Dig traces get me the NS records for the dot-gov servers
>
> Rather than dump your cache, you need to look at the forwarder's cache.
> And what happens if you try to query the nameservers from the forwarder?

What you see above *is* the forwarder's cache.  There are four
forwarders total and each one has similar entries.  Queries sent to
the forwarders' named process for phila.gov, whether locally or from
network clients, time out.  Queries sent with dig to either of
phila.gov's name servers from the forwarders result in buttery
success:

> dig ns phila.gov @170.115.249.10

; <<>> DiG 8.3 <<>> ns phila.gov @170.115.249.10
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;;      phila.gov, type = NS, class = IN

;; ANSWER SECTION:
phila.gov.              1D IN NS        dns.phila.gov.
phila.gov.              1D IN NS        dns2.phila.gov.

;; ADDITIONAL SECTION:
dns.phila.gov.          1D IN A         170.115.249.10
dns2.phila.gov.         1D IN A         170.115.249.11

;; Total query time: 54 msec
;; FROM: lsmns1o.gtwy.uscourts.gov to SERVER: 170.115.249.10  170.115.249.10
;; WHEN: Tue Mar 14 16:58:10 2006
;; MSG SIZE  sent: 27  rcvd: 96

Furthermore, packet sniffs show that BIND *is* sending out DNS queries
to phila.gov's name servers when it is forwarded requests from
internal clients.  But it gets no response.

This tells me that *if* an unknown upstream filter (not likely, at
least not on my end) is causing mischief, it's filtering at the
application layer not the network layer.  So the question is, what
distinguishes a dig-fashioned query from a BIND-fashioned query?

Thanks to Barry and anyone else who want to chime in.



More information about the bind-users mailing list