Weird problem.

Tue Feb 13 01:10:33 UTC 2007

At 5:13 PM -0700 2/12/07, Stephen John Smoogen wrote:
>On 2/12/07, David Miller <millerdc at fusion.gat.com> wrote:
>>
>> On Feb 12, 2007, at 2:01 PM, Stephen John Smoogen wrote:
>>
>> > On 2/12/07, David Miller <millerdc at fusion.gat.com> wrote:
>> >> For some reason our servers(BIND 9.3.2) will not resolve one domain.
>> >> Well, it is the only one that has not worked. My users tell me it was
>> >> working last week. The domain is mcmaster.com. This is what I get
>> >> when I lookup the domain using my master name server within my
>> >> network
>> >> ( recursion is turned off).
>> >>
>> >> nslookup mcmaster.com 192.5.166.12
>> >> ;; connection timed out; no servers could be reached
>> >>
>> >
>> > I am missing something if recursion is turned off.. how is it going to
>> > do the lookup? What does dig +trace say when it tries to look it up?
>> >
>> >> It takes a few seconds for it to give that response. Like it can't
>> >> even query the server with that string. However I have not had any
>> >> problems resolving any other domains. It doesn't even act like it
>> >> would with a domain that doesn't exist at all. It immediately
>> >> responds back with a "not found: 3(NXDOMAIN)"
>> >>
>> >> The only changes I have made since last week are to my zone files for
>> >> my local domain hostnames. I double check all entries I make using
>> >> forward and reverse lookups. BIND is not complaining about anything.
>> >> Anyone see this before?
>> >>
>> >> David.
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Stephen J Smoogen. -- CSIRT/Linux System Administrator
>> > How far that little candle throws his beams! So shines a good deed
>> > in a naughty world. = Shakespeare. "The Merchant of Venice"
>>
>> By non recursive, it doesn't allow name resolution for domains
>> outside my defined network. I have an ACL in my named.conf that
>> allows recursive lookups for anything not in the gat.com domain.
>>
>> Here is what the dig command gives me for mcmaster.com.
>>
>> ========================================================================
>> =
>> emac-dmiller:~ millerdc$ dig @192.5.166.12 +trace mcmaster.com
>>
>> ; <<>> DiG 9.3.2 <<>> @192.5.166.12 +trace mcmaster.com
>> ; (1 server found)
>> ;; global options:  printcmd
>> .                       3600000 IN      NS      M.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      A.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      B.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      C.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      D.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      E.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      F.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      G.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      H.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      I.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      J.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      K.ROOT-SERVERS.NET.
>> .                       3600000 IN      NS      L.ROOT-SERVERS.NET.
>> ;; Received 228 bytes from 192.5.166.12#53(192.5.166.12) in 2 ms
>>
>> com.                    172800  IN      NS      A.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      B.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      C.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      D.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      E.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      F.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      G.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      H.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      I.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      J.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      K.GTLD-SERVERS.NET.
> > com.                    172800  IN      NS      L.GTLD-SERVERS.NET.
>> com.                    172800  IN      NS      M.GTLD-SERVERS.NET.
>> ;; Received 490 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 126 ms
>>
>> mcmaster.com.           172800  IN      NS      ns1.mcmaster.com.
>> mcmaster.com.           172800  IN      NS      ns2.mcmaster.com.
>> mcmaster.com.           172800  IN      NS      ns3.mcmaster.com.
>> ;; Received 132 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 100 ms
>>
>
>mcmaster.com.           172800  IN      NS      ns1.mcmaster.com.
>mcmaster.com.           172800  IN      NS      ns2.mcmaster.com.
>mcmaster.com.           172800  IN      NS      ns3.mcmaster.com.
>;; Received 132 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 73 ms
>
>mcmaster.com.           60      IN      A       209.64.25.230
>;; Received 46 bytes from 209.64.25.241#53(ns1.mcmaster.com) in 44 ms
>
>
>I would check for a firewall issue or a BOGUS issue that isnt allowing
>you to get the IP  data for that last hop.

I'd suggest that a 60 second TTL on the nameserver NS and A recordss is not helping:

;; ANSWER SECTION:
mcmaster.com.           60      IN      NS      ns1.mcmaster.com.
mcmaster.com.           60      IN      NS      ns2.mcmaster.com.
mcmaster.com.           60      IN      NS      ns3.mcmaster.com.
mcmaster.com.           60      IN      NS      ns4.mcmaster.com.

;; ADDITIONAL SECTION:
ns1.mcmaster.com.       47574   IN      A       209.64.25.241
ns4.mcmaster.com.       60      IN      A       204.94.228.241

>--
>Stephen J Smoogen. -- CSIRT/Linux System Administrator
>How far that little candle throws his beams! So shines a good deed
>in a naughty world. = Shakespeare. "The Merchant of Venice"

-- 
Ken Eddings, Hostmaster, IS&T,   eddingsk at apple.com,   eddingsk at mac.com
   Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103
  Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014
The Prudent Mariner never relies solely on any single aid to navigation.