how to log all recursive query responses?
David Sparks
dave at ca.sophos.com
Fri Aug 8 19:24:33 UTC 2008
> logging {
> category lame-servers { null; };
> channel default_syslog {
> syslog local2;
> severity info;
> print-category yes;
> print-severity yes;
> };
> category queries { default_syslog; };
> };
Does the above log the responses or just the queries?
I'm trying to debug why two 1000qps BIND servers side by side are giving out
different (cached?) results (one SERVFAIL, one correct answer) from a close
(one Internet hop but in the same data centre) rbldnsd server. The SERVFAIL
is incorrect and I can't figure out how named got things wrong in the first place.
The incorrect SERVFAIL also seems to be cached but I can't see anything about
the query from rndc dumpdb output.
rndc dumpdb -cache shows that the server with the correct answer has cached
values. What I don't understand is why the named that doesn't have a cached
answer doesn't resolve the query, instead it returns SERVFAIL immediately?
This only happens after named has been running hard for several days. I've
pasted an example below, ns1 gets SERVFAIL and ns2 gets the proper answer.
daves at sentinel ~ $ host -v -t a X.X.X.213.fur.ca1.sophosxl.com. ns1
Trying "X.X.X.213.fur.ca1.sophosxl.com"
Received 49 bytes from 10.99.159.11#53 in 89 ms
Trying "X.X.X.213.fur.ca1.sophosxl.com"
Using domain server:
Name: ns1
Address: 10.99.159.11#53
Aliases:
Host X.X.X.213.fur.ca1.sophosxl.com not found: 2(SERVFAIL)
Received 49 bytes from 10.99.159.11#53 in 88 ms
daves at sentinel ~ $ host -v -t a X.X.X.213.fur.ca1.sophosxl.com. ns2
Trying "X.X.X.213.fur.ca1.sophosxl.com"
Using domain server:
Name: ns2
Address: 10.99.159.12#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36177
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;X.X.X.213.fur.ca1.sophosxl.com. IN A
;; ANSWER SECTION:
X.X.X.213.fur.ca1.sophosxl.com. 2100 IN A 127.0.4.2
;; AUTHORITY SECTION:
fur.ca1.sophosxl.com. 352 IN NS ca1.sophosxl.com.
;; ADDITIONAL SECTION:
ca1.sophosxl.com. 569 IN A 209.17.179.166
Received 95 bytes from 10.99.159.12#53 in 26 ms
> If you want to capture the contents of the actual *packets* that named
> is generating, I'd recommend a packet capture utility such as "tcpdump".
> It's not too hard to restrict the captures to responses only, where the
> RD flag in the header is set to 1 (indicating that the original query
> was recursive). For the PC platform, there's also WireShark, but to be
> honest, I haven't played much with its filtering capabilities.
I'm not sure how to filter on the RD flag? Will this filter be sufficient or
do I also need the query packet to figure out what happened?:
tcpdump -s 1024 src port 53 and not src host ns1
Thanks for any help!
ds
More information about the bind-users
mailing list