Nslookup Times Out on A Lookup To Well-Known Hosts

Barry Margolin barmar at alum.mit.edu
Tue Oct 3 00:45:07 UTC 2006 

In article <efrape$2gf$1 at sf1.isc.org>,
 "Will" <westes-usc at noemail.nospam> wrote:

> To recap, our DNS server, which is set to do recursive lookups, fails to
> resolve many popular Internet addresses.
> 
> "Barry Margolin" <barmar at alum.mit.edu> wrote in message
> news:efkc0v$11ni$1 at sf1.isc.org...
> > You said you asked it to look up MX records, so why is it now doing A
> > record lookups?  Although I doubt that the record type actually matters.
> 
> I am certainly no DNS expert, but the sniffer trace I saw suggests that the
> algorithm DNS resolver in BIND is using for an MX record lookup is the
> following:
> 
> 1) Get the SOA record for the domain.

As far as I know, BIND never looks up the SOA record when performing 
recursion; the only time it looks up the SOA is when a slave server is 
polling its master, to see if the serial number has changed.

> 2) Do an A record lookup for the NS records in the SOA

What "NS records in the SOA"?  When you get query for an SOA record, you 
get an SOA record, not NS records.

> At least what I saw was our name server doing A lookups on hosts like
> ns.cox.net, which certainly does look like a nameserver, and is in fact in
> the cox.net NS records list.
> 
> The A lookup to ns.cox.net would timeout, and then the name server's
> resolver would do an A lookup on the next NS record, timeout, then the next
> one, timeout, and after that it reports permanent failure to the DNS client
> (nslookup).

I'm a little unclear on what you say is timing out -- is it trying to 
resolve the name ns.cox.net, or is it trying to resolve something else 
by sending TO ns.cox.net?

> 
> Should I just post the output of dig +trace?   I'm probably mangling some
> important detail(s) here.

Yes, that would be helpful, I don't think you're describing things 
properly.

> > > What are some possible causes for this?    Could cox.net be blacklisting
> > > many Internet hosts on their nameservers?
> >
> > That's a definite possibility.  Perhaps at one point some problem caused
> > your server to bombard them with DNS queries, so they set up a filter to
> > block it.
> >
> > I suggest you contact them and ask if they're blocking DNS from your
> > server's IP.
> 
> My general experience with large ISPs has been that they make it their full
> time job to not talk to anyone, including customers :)     At least the few
> times I have had security problems with customers on any large ISP, they
> have ignored all inquiries for weeks, then they try to pass off some absurd
> irrevelant form letter as an answer.   So with all respect, talking to large
> ISPs about why they do anything feels like a losing strategy.

Well, if they are blocking you, there's no way you're going to get them 
to unblock without talking to them.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list