named slow resolving to internet

Kevin Darcy kcd at chrysler.com
Wed Oct 31 23:57:52 UTC 2007


Yes, but you'll notice that the +dnssec query advertised a larger buffer 
size ("

EDNS: version: 0, flags: do; udp: 4096"). The fact that both queries returned successfully and quickly implies that you don't have any EDNS-challenged devices in the path between your box and a.root-servers.net.

This is what diagnosis is all about, elminating possible causes.

						- Kevin


Binmakhashen, Latif wrote:
> The answer is 0?
>
> I compiled bind without the OpenSSL library so no security features are
> enabled.
>
>
> HPADM2/home/rootlbm > dig www.ducks.com @a.root-servers.net
>
> ; <<>> DiG 9.3.2 <<>> www.ducks.com @a.root-servers.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1585
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
>
> ;; QUESTION SECTION:
> ;www.ducks.com.                 IN      A
>
> ;; AUTHORITY SECTION:
> com.                    172800  IN      NS      B.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      C.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      D.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      E.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      F.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      G.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      H.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      I.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      J.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      K.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      L.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      M.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      A.GTLD-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET.     172800  IN      A       192.5.6.30
> A.GTLD-SERVERS.NET.     172800  IN      AAAA    2001:503:a83e::2:30
> B.GTLD-SERVERS.NET.     172800  IN      A       192.33.14.30
> B.GTLD-SERVERS.NET.     172800  IN      AAAA    2001:503:231d::2:30
> C.GTLD-SERVERS.NET.     172800  IN      A       192.26.92.30
> D.GTLD-SERVERS.NET.     172800  IN      A       192.31.80.30
> E.GTLD-SERVERS.NET.     172800  IN      A       192.12.94.30
> F.GTLD-SERVERS.NET.     172800  IN      A       192.35.51.30
> G.GTLD-SERVERS.NET.     172800  IN      A       192.42.93.30
> H.GTLD-SERVERS.NET.     172800  IN      A       192.54.112.30
> I.GTLD-SERVERS.NET.     172800  IN      A       192.43.172.30
> J.GTLD-SERVERS.NET.     172800  IN      A       192.48.79.30
> K.GTLD-SERVERS.NET.     172800  IN      A       192.52.178.30
> L.GTLD-SERVERS.NET.     172800  IN      A       192.41.162.30
>
> ;; Query time: 28 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Wed Oct 31 19:44:10 2007
> ;; MSG SIZE  rcvd: 503
>
> HPADM2/home/rootlbm > dig +dnssec www.ducks.com @a.root-servers.net
>
> ; <<>> DiG 9.3.2 <<>> +dnssec www.ducks.com @a.root-servers.net
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1522
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.ducks.com.                 IN      A
>
> ;; AUTHORITY SECTION:
> com.                    172800  IN      NS      I.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      J.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      K.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      L.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      M.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      A.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      B.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      C.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      D.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      E.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      F.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      G.GTLD-SERVERS.NET.
> com.                    172800  IN      NS      H.GTLD-SERVERS.NET.
>
> ;; ADDITIONAL SECTION:
> A.GTLD-SERVERS.NET.     172800  IN      A       192.5.6.30
> A.GTLD-SERVERS.NET.     172800  IN      AAAA    2001:503:a83e::2:30
> B.GTLD-SERVERS.NET.     172800  IN      A       192.33.14.30
> B.GTLD-SERVERS.NET.     172800  IN      AAAA    2001:503:231d::2:30
> C.GTLD-SERVERS.NET.     172800  IN      A       192.26.92.30
> D.GTLD-SERVERS.NET.     172800  IN      A       192.31.80.30
> E.GTLD-SERVERS.NET.     172800  IN      A       192.12.94.30
> F.GTLD-SERVERS.NET.     172800  IN      A       192.35.51.30
> G.GTLD-SERVERS.NET.     172800  IN      A       192.42.93.30
> H.GTLD-SERVERS.NET.     172800  IN      A       192.54.112.30
> I.GTLD-SERVERS.NET.     172800  IN      A       192.43.172.30
> J.GTLD-SERVERS.NET.     172800  IN      A       192.48.79.30
> K.GTLD-SERVERS.NET.     172800  IN      A       192.52.178.30
> L.GTLD-SERVERS.NET.     172800  IN      A       192.41.162.30
> M.GTLD-SERVERS.NET.     172800  IN      A       192.55.83.30
>
> ;; Query time: 23 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Wed Oct 31 19:44:23 2007
> ;; MSG SIZE  rcvd: 530
>
> HPADM2/home/rootlbm >
>
>
> Kind regards,
>  
> Latif Binmakhashen
> Senior Unix  Admin.
> Omnicare Inc.
> Direct Line: (614) 652-3217
> latif.binmakhashen at omnicare.com
>  
>  
> -- NOTICE --
> This e-mail message is confidential, intended only for the named
> recipient(s) above and may contain information that is privileged or
> exempt from disclosure under applicable law. If you have received this
> message in error, or are not the named recipient(s), please immediately
> notify the sender and delete this e-mail message from your computer.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Mark Andrews
> Sent: Wednesday, October 31, 2007 7:25 PM
> To: Kevin Darcy
> Cc: comp-protocols-dns-bind at isc.org
> Subject: Re: named slow resolving to internet 
>
>
> 	Long lookup times can be the result of firewalls that are
> 	blocking EDNS responses.  Named will retry using plain DNS
> 	but it has to timeout first.
>
> 	Do you get responses to both of these queries?
>
> 		dig www.ducks.com @a.root-servers.net
>
> 		dig +dnssec www.ducks.com @a.root-servers.net
> 	
> 	If not you need to look at your firewall settings.
>   



More information about the bind-users mailing list