Queries to a positively cached zone are failing (phila.gov)
Greg Chavez
greg.chavez at gmail.com
Wed Mar 15 14:52:10 UTC 2006
On 3/15/06, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> Ronan Flood <ronan at noc.ulcc.ac.uk> wrote
> > Also BIND will be using EDNS,
>
> % dig +bufsize=1024 @dns.phila.gov NS phila.gov
>
> ; <<>> DiG 9.2.4 <<>> +bufsize=1024 @dns.phila.gov NS phila.gov
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 58304
> ;; flags: qr rd ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; Query time: 119 msec
> ;; SERVER: 170.115.249.10#53(dns.phila.gov)
> ;; WHEN: Wed Mar 15 14:02:35 2006
> ;; MSG SIZE rcvd: 12
>
>
> Now, BIND should retry without EDNS, no?
First thing I did when I saw Ronan's message was to slap myself on the
head. The second thing I did was add this to named.conf:
server 170.115.249.10 { edns no;};
server 170.115.249.11 { edns no;};
The third thing I did was test it and the fourth thing I did was slap
myself again when it didn't work. Same old same old. Dig queries to
the phila.gov name servers work; queries by BIND time out.
Times out: that's an important distinction. BIND doesn't get back a
FORMERR; the remote name server *never responds* to the query.
; <<>> DiG 8.3 <<>> ns phila.gov
;; res options: init recurs defnam dnsrch
;; res_nsend to server default -- 127.0.0.1: Connection timed out
Here are the results of my packet analysis using snoop. The Ether and
IP were identical. The DNS headers are mostly similar, save for the
RD flag. I don't know what else to look for.
DIG-to-phila.gov (gets NXDOMAIN response):
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 8:45:20.51
ETHER: Packet size = 74 bytes
ETHER: Destination = 0:11:43:dc:3a:38,
ETHER: Source = 0:3:ba:2:e9:e6,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 60 bytes
IP: Identification = 37693
IP: Identification = 37693
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 720a
IP: Source address = 10.X.X.25, 10.X.X.25
IP: Destination address = 170.115.249.10, 170.115.249.10
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 33102
UDP: Destination port = 53 (DNS)
UDP: Length = 40
UDP: Checksum = 1076
UDP:
DNS: ----- DNS Header -----
DNS:
DNS: Query ID = 4
DNS: Opcode: Query
DNS: RD (Recursion Desired)
DNS: 1 question(s)
DNS: Domain Name: test.phila.gov.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS:
0: 0011 43dc 3a38 0003 ba02 e9e6 0800 4500 ..C.:8........E.
16: 003c 933d 4000 ff11 720a 0ad1 c819 aa73 .<.=@...r......s
32: f90a 814e 0035 0028 1076 0004 0100 0001 ...N.5.(.v......
48: 0000 0000 0000 0474 6573 7405 7068 696c .......test.phil
64: 6103 676f 7600 0001 0001 a.gov.....
BIND-to-phila.gov (no edns, times out):
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 3 arrived at 8:43:16.49
ETHER: Packet size = 74 bytes
ETHER: Destination = 0:11:43:dc:3a:38,
ETHER: Source = 0:3:ba:2:e9:e6,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 60 bytes
IP: Identification = 51839
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 3ac8
IP: Source address = 10.X.X.25, 10.X.X.25
IP: Destination address = 170.115.249.10, 170.115.249.10
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 32768
UDP: Destination port = 53 (DNS)
UDP: Length = 40
UDP: Checksum = 7233
UDP:
DNS: ----- DNS Header -----
DNS:
DNS: Query ID = 41108
DNS: Opcode: Query
DNS:
DNS: 1 question(s)
DNS: Domain Name: test.phila.gov.
DNS: Class: 1 (Internet)
DNS: Type: 1 (Address)
DNS:
0: 0011 43dc 3a38 0003 ba02 e9e6 0800 4500 ..C.:8........E.
16: 003c ca7f 4000 ff11 3ac8 0ad1 c819 aa73 .<.. at ...:......s
32: f90a 8000 0035 0028 7233 a094 0000 0001 .....5.(r3......
48: 0000 0000 0000 0474 6573 7405 7068 696c .......test.phil
64: 6103 676f 7600 0001 0001 a.gov.....
These packets go through a pix firewall before they reach the wild.
One of our network engineers was able to confirm that both of these
packets were leaving the firewall. I also got a hold of the phila.gov
folks for a time, although they have yet to come close to figuring out
how to check DNS and network logs and tables. I am hoping that they
will soon provide me with reasonable troubleshooting data.
--
--Greg Chavez
--
More information about the bind-users
mailing list