DNS problems / unable to reach authoritative server?

Brenckle, Nicholas NBrenckle at dsl.net
Wed Sep 13 20:59:02 UTC 2006 

Oddly, what worked for me was to add the line of 

Query-source address * port 53;

Which by default was commented out in my package (bind 9.2.4,  or
bind-9.2.4-16-EL4 since it's a RHEL box)

This should have no long term effect on anything else should it?

Thanks for the help.

-Nick

-----Original Message-----
From: Greg Chavez [mailto:greg.chavez at gmail.com] 
Sent: Wednesday, September 13, 2006 11:19 AM
To: Brenckle, Nicholas
Cc: bind-users at isc.org
Subject: Re: DNS problems / unable to reach authoritative server?

Yikes.  I gave out bad named.conf syntax.  See my corrections.

On 9/13/06, Greg Chavez <greg.chavez at gmail.com> wrote:
> On 9/13/06, Brenckle, Nicholas <NBrenckle at dsl.net> wrote:
> >
> > I have a weird DNS problem where some of my DNS servers (customer
> > resolvers) can see a domain, and some cant. From the ones that can,
> > everything works fine. From the ones that don't, I get timeouts when
> > doing a host or a dig, but I can request information from the auth
DNS
> > server for that domain without a problem. The question is, where in
the
> > chain is it failing to tell the server that doesn't work, where to
get
> > the information?
>
> phila.gov runs *crazy* old BIND.  I mean version 4 somewhere.  My
> government outfit had a big problem with it a few months back:
>
>
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thr
ead/7770697c13376c84/b1ec9d51c1089a85?lnk=gst&q=phila.gov&rnum=1#b1ec9d5
1c1089a85
>
> I was remiss and never posted the solution.  But I will do that now.
>
> At the time, we were running BIND 9.2.2 (upgrade to 9.3.2-P1 if you
> haven't already!).  Mail to phila.gov was queuing up on our mail
> relays because queries to that domain by our DNS forwarders were
> timing out.  Queries were sent with a source port that, while
> configured as random, was being deterministically set to 32768
> (2^15... the max value of a 16-bit number):
>
>   query-source address * port 53;

Correction:

  query-source address * port *;

> This by itself is not a problem and in fact is expected, documented
> BIND behavior; to wit, we had no trouble sending and receiving
> responses to DNS queries from virtually all other Internet domains our
> users were hitting.   With little else left in our toolbox, however,
> we changed this to use a static, unprivileged ports.  After that,
> phila.gov queries started resolving our queues spilled forth.
>
>   query-source address 8765 port 53;

Correction:

query-source address * port 8765;


> Don't know whyfore this worked, but it did.  The true solution of
> course, would be for phila.gov to enter the 21st century.  Oh well.
> Hope this helps you.
>
> > ---- working one
> > [nbrenckle at ns1 ~]$ host www.phila.gov
> > www.phila.gov has address 170.115.249.40
> > [nbrenckle at ns1 ~]$ dig phila.gov
> >
> > ; <<>> DiG 9.2.4 <<>> phila.gov
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48731
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;phila.gov.                     IN      A
> >
> > ;; ANSWER SECTION:
> > phila.gov.              18536   IN      A       170.115.249.40
> >
> > ;; AUTHORITY SECTION:
> > phila.gov.              18536   IN      NS      dns2.phila.gov.
> > phila.gov.              18536   IN      NS      dns.phila.gov.
> >
> > ;; Query time: 6 msec
> > ;; SERVER: 209.87.64.70#53(209.87.64.70)
> > ;; WHEN: Tue Sep 12 09:47:58 2006
> > ;; MSG SIZE  rcvd: 80
> >
> > [nbrenckle at ns1 ~]$
> >
> > ---- not working one (but see last info  - 170.115.249.10 is the ip
of
> > dns2.phila.gov from the above dig)
> >
> > [nbrenckle at dnsr01 ~]$ host www.phila.gov
> > ;; connection timed out; no servers could be reached
> > [nbrenckle at dnsr01 ~]$ dig phila.gov
> >
> > ; <<>> DiG 9.2.4 <<>> phila.gov
> > ;; global options:  printcmd
> > ;; connection timed out; no servers could be reached
> > [nbrenckle at dnsr01 ~]$ host www.phila.gov 170.115.249.10
> > Using domain server:
> > Name: 170.115.249.10
> > Address: 170.115.249.10#53
> > Aliases:
> >
> > www.phila.gov has address 170.115.249.40
> > [nbrenckle at dnsr01 ~]$
> >
> >
> >
> >
>


-- 
--Greg Chavez
--

More information about the bind-users mailing list