Nslookup Times Out on A Lookup To Well-Known Hosts

Will westes-usc at noemail.nospam
Sat Sep 30 02:47:44 UTC 2006

To recap, our DNS server, which is set to do recursive lookups, fails to
resolve many popular Internet addresses.

"Barry Margolin" <barmar at alum.mit.edu> wrote in message
news:efkc0v$11ni$1 at sf1.isc.org...
> You said you asked it to look up MX records, so why is it now doing A
> record lookups?  Although I doubt that the record type actually matters.

I am certainly no DNS expert, but the sniffer trace I saw suggests that the
algorithm DNS resolver in BIND is using for an MX record lookup is the

1) Get the SOA record for the domain.
2) Do an A record lookup for the NS records in the SOA

At least what I saw was our name server doing A lookups on hosts like
ns.cox.net, which certainly does look like a nameserver, and is in fact in
the cox.net NS records list.

The A lookup to ns.cox.net would timeout, and then the name server's
resolver would do an A lookup on the next NS record, timeout, then the next
one, timeout, and after that it reports permanent failure to the DNS client

Should I just post the output of dig +trace?   I'm probably mangling some
important detail(s) here.

> > I confirm that result from the command line by simple nslookup to
> > (for example) and this does time out.
> Is there a reason why you're using nslookup rather than dig for your
> troubleshooting?  Not that it really matters in this case, but you
> should fix your bad habits, as there are many times when nslookup gives
> misleading results.

Critique understood and well taken.   I am still suffering a bad habit only
because nslookup is available everywhere, and dig is not without my making
some extra effort.

> > What are some possible causes for this?    Could cox.net be blacklisting
> > many Internet hosts on their nameservers?
> That's a definite possibility.  Perhaps at one point some problem caused
> your server to bombard them with DNS queries, so they set up a filter to
> block it.
> I suggest you contact them and ask if they're blocking DNS from your
> server's IP.

My general experience with large ISPs has been that they make it their full
time job to not talk to anyone, including customers :)     At least the few
times I have had security problems with customers on any large ISP, they
have ignored all inquiries for weeks, then they try to pass off some absurd
irrevelant form letter as an answer.   So with all respect, talking to large
ISPs about why they do anything feels like a losing strategy.


More information about the bind-users mailing list