DNS problems / unable to reach authoritative server?
Brenckle, Nicholas
NBrenckle at dsl.net
Wed Sep 13 20:59:02 UTC 2006
Oddly, what worked for me was to add the line of
Query-source address * port 53;
Which by default was commented out in my package (bind 9.2.4, or
bind-9.2.4-16-EL4 since it's a RHEL box)
This should have no long term effect on anything else should it?
Thanks for the help.
-Nick
-----Original Message-----
From: Greg Chavez [mailto:greg.chavez at gmail.com]
Sent: Wednesday, September 13, 2006 11:19 AM
To: Brenckle, Nicholas
Cc: bind-users at isc.org
Subject: Re: DNS problems / unable to reach authoritative server?
Yikes. I gave out bad named.conf syntax. See my corrections.
On 9/13/06, Greg Chavez <greg.chavez at gmail.com> wrote:
> On 9/13/06, Brenckle, Nicholas <NBrenckle at dsl.net> wrote:
> >
> > I have a weird DNS problem where some of my DNS servers (customer
> > resolvers) can see a domain, and some cant. From the ones that can,
> > everything works fine. From the ones that don't, I get timeouts when
> > doing a host or a dig, but I can request information from the auth
DNS
> > server for that domain without a problem. The question is, where in
the
> > chain is it failing to tell the server that doesn't work, where to
get
> > the information?
>
> phila.gov runs *crazy* old BIND. I mean version 4 somewhere. My
> government outfit had a big problem with it a few months back:
>
>
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thr
ead/7770697c13376c84/b1ec9d51c1089a85?lnk=gst&q=phila.gov&rnum=1#b1ec9d5
1c1089a85
>
> I was remiss and never posted the solution. But I will do that now.
>
> At the time, we were running BIND 9.2.2 (upgrade to 9.3.2-P1 if you
> haven't already!). Mail to phila.gov was queuing up on our mail
> relays because queries to that domain by our DNS forwarders were
> timing out. Queries were sent with a source port that, while
> configured as random, was being deterministically set to 32768
> (2^15... the max value of a 16-bit number):
>
> query-source address * port 53;
Correction:
query-source address * port *;
> This by itself is not a problem and in fact is expected, documented
> BIND behavior; to wit, we had no trouble sending and receiving
> responses to DNS queries from virtually all other Internet domains our
> users were hitting. With little else left in our toolbox, however,
> we changed this to use a static, unprivileged ports. After that,
> phila.gov queries started resolving our queues spilled forth.
>
> query-source address 8765 port 53;
Correction:
query-source address * port 8765;
> Don't know whyfore this worked, but it did. The true solution of
> course, would be for phila.gov to enter the 21st century. Oh well.
> Hope this helps you.
>
> > ---- working one
> > [nbrenckle at ns1 ~]$ host www.phila.gov
> > www.phila.gov has address 170.115.249.40
> > [nbrenckle at ns1 ~]$ dig phila.gov
> >
> > ; <<>> DiG 9.2.4 <<>> phila.gov
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48731
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;phila.gov. IN A
> >
> > ;; ANSWER SECTION:
> > phila.gov. 18536 IN A 170.115.249.40
> >
> > ;; AUTHORITY SECTION:
> > phila.gov. 18536 IN NS dns2.phila.gov.
> > phila.gov. 18536 IN NS dns.phila.gov.
> >
> > ;; Query time: 6 msec
> > ;; SERVER: 209.87.64.70#53(209.87.64.70)
> > ;; WHEN: Tue Sep 12 09:47:58 2006
> > ;; MSG SIZE rcvd: 80
> >
> > [nbrenckle at ns1 ~]$
> >
> > ---- not working one (but see last info - 170.115.249.10 is the ip
of
> > dns2.phila.gov from the above dig)
> >
> > [nbrenckle at dnsr01 ~]$ host www.phila.gov
> > ;; connection timed out; no servers could be reached
> > [nbrenckle at dnsr01 ~]$ dig phila.gov
> >
> > ; <<>> DiG 9.2.4 <<>> phila.gov
> > ;; global options: printcmd
> > ;; connection timed out; no servers could be reached
> > [nbrenckle at dnsr01 ~]$ host www.phila.gov 170.115.249.10
> > Using domain server:
> > Name: 170.115.249.10
> > Address: 170.115.249.10#53
> > Aliases:
> >
> > www.phila.gov has address 170.115.249.40
> > [nbrenckle at dnsr01 ~]$
> >
> >
> >
> >
>
--
--Greg Chavez
--
More information about the bind-users
mailing list