DNS problems / unable to reach authoritative server?

Brenckle, Nicholas NBrenckle at dsl.net
Wed Sep 13 21:08:38 UTC 2006 

Wait, I take that back. It worked for ONE server, which now seems to
just magically have started working. Even after putting the system back
to the default mode. The others still cannot resolve phila.gov. And your
line suggested below

query-source address * port 8765;

Just makes my named unhappy and not start.  I tried calling a few people
in the City of Philly, but got no where. 

Nick

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Brenckle, Nicholas
Sent: Wednesday, September 13, 2006 4:59 PM
To: Greg Chavez
Cc: bind-users at isc.org
Subject: RE: DNS problems / unable to reach authoritative server?

Oddly, what worked for me was to add the line of 

Query-source address * port 53;

Which by default was commented out in my package (bind 9.2.4,  or
bind-9.2.4-16-EL4 since it's a RHEL box)

This should have no long term effect on anything else should it?

Thanks for the help.

-Nick

-----Original Message-----
From: Greg Chavez [mailto:greg.chavez at gmail.com] 
Sent: Wednesday, September 13, 2006 11:19 AM
To: Brenckle, Nicholas
Cc: bind-users at isc.org
Subject: Re: DNS problems / unable to reach authoritative server?

Yikes.  I gave out bad named.conf syntax.  See my corrections.

On 9/13/06, Greg Chavez <greg.chavez at gmail.com> wrote:
> On 9/13/06, Brenckle, Nicholas <NBrenckle at dsl.net> wrote:
> >
> > I have a weird DNS problem where some of my DNS servers (customer
> > resolvers) can see a domain, and some cant. From the ones that can,
> > everything works fine. From the ones that don't, I get timeouts when
> > doing a host or a dig, but I can request information from the auth
DNS
> > server for that domain without a problem. The question is, where in
the
> > chain is it failing to tell the server that doesn't work, where to
get
> > the information?
>
> phila.gov runs *crazy* old BIND.  I mean version 4 somewhere.  My
> government outfit had a big problem with it a few months back:
>
>
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thr
ead/7770697c13376c84/b1ec9d51c1089a85?lnk=gst&q=phila.gov&rnum=1#b1ec9d5
1c1089a85
>
> I was remiss and never posted the solution.  But I will do that now.
>
> At the time, we were running BIND 9.2.2 (upgrade to 9.3.2-P1 if you
> haven't already!).  Mail to phila.gov was queuing up on our mail
> relays because queries to that domain by our DNS forwarders were
> timing out.  Queries were sent with a source port that, while
> configured as random, was being deterministically set to 32768
> (2^15... the max value of a 16-bit number):
>
>   query-source address * port 53;

Correction:

  query-source address * port *;

> This by itself is not a problem and in fact is expected, documented
> BIND behavior; to wit, we had no trouble sending and receiving
> responses to DNS queries from virtually all other Internet domains our
> users were hitting.   With little else left in our toolbox, however,
> we changed this to use a static, unprivileged ports.  After that,
> phila.gov queries started resolving our queues spilled forth.
>
>   query-source address 8765 port 53;

Correction:

query-source address * port 8765;


> Don't know whyfore this worked, but it did.  The true solution of
> course, would be for phila.gov to enter the 21st century.  Oh well.
> Hope this helps you.
>
> > ---- working one
> > [nbrenckle at ns1 ~]$ host www.phila.gov
> > www.phila.gov has address 170.115.249.40
> > [nbrenckle at ns1 ~]$ dig phila.gov
> >
> > ; <<>> DiG 9.2.4 <<>> phila.gov
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48731
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;phila.gov.                     IN      A
> >
> > ;; ANSWER SECTION:
> > phila.gov.              18536   IN      A       170.115.249.40
> >
> > ;; AUTHORITY SECTION:
> > phila.gov.              18536   IN      NS      dns2.phila.gov.
> > phila.gov.              18536   IN      NS      dns.phila.gov.
> >
> > ;; Query time: 6 msec
> > ;; SERVER: 209.87.64.70#53(209.87.64.70)
> > ;; WHEN: Tue Sep 12 09:47:58 2006
> > ;; MSG SIZE  rcvd: 80
> >
> > [nbrenckle at ns1 ~]$
> >
> > ---- not working one (but see last info  - 170.115.249.10 is the ip
of
> > dns2.phila.gov from the above dig)
> >
> > [nbrenckle at dnsr01 ~]$ host www.phila.gov
> > ;; connection timed out; no servers could be reached
> > [nbrenckle at dnsr01 ~]$ dig phila.gov
> >
> > ; <<>> DiG 9.2.4 <<>> phila.gov
> > ;; global options:  printcmd
> > ;; connection timed out; no servers could be reached
> > [nbrenckle at dnsr01 ~]$ host www.phila.gov 170.115.249.10
> > Using domain server:
> > Name: 170.115.249.10
> > Address: 170.115.249.10#53
> > Aliases:
> >
> > www.phila.gov has address 170.115.249.40
> > [nbrenckle at dnsr01 ~]$
> >
> >
> >
> >
>


-- 
--Greg Chavez
--

More information about the bind-users mailing list