Recursive queries fail if query source port is not fixed

Andrey G. Sergeev (AKA Andris) andris at aernet.ru
Thu Aug 14 12:47:50 UTC 2008


Hello Hans,


Thu, 14 Aug 2008 14:05:21 +0200 Hans F. Nordhaug wrote:

>> Assuming that your name servers aren't authoritative for the, say, 
>> yandex.ru, ku.dk and asahi.co.jp zones, please post here the
>> results of doing at least one command suggested below without the
>> query-source directive specified in your named.conf.
>>
>> dig images.yandex.ru. a +tra
> [cut]
> 
> Thx for replying. I did a query for the a record of images.yandex.ru 
> with and without the trace. With trace, I get a reply - without
> trace, I don't (see below). (Well, I do - put after 3-4 repeated
> queries.) I really don't get it.

What number of queries you've done with trace enabled?

> If I should guess, it must be dig sending the queries differently
> when tracing.

Yes. I suggest you to obtain a traffic dump between the g4.tibe.no and 
the outside world while doind the queries without trace enabled.

> If it is the firewall (Cisco ASA 5510) being overwhelmed, I don't
> know where to look - I have tried...

> ; <<>> DiG 9.3.4-P1 <<>> @g4.tibe.no images.yandex.ru. a
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42214
^                                ^^^^^^^^^^^^^^^^
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;images.yandex.ru.              IN      A
> 
> ;; Query time: 1 msec
^^^^^^^^^^^^^^^^^^^^^^^
An interesting fact. Much like your query has been aborted and now you 
should try to understand at which phase.

> ;; SERVER: 213.161.248.67#53(213.161.248.67)
> ;; WHEN: Thu Aug 14 13:57:13 2008
> ;; MSG SIZE  rcvd: 34


-- 

Yours sincerely,

Andrey G. Sergeev (AKA Andris)     http://www.andris.name/


More information about the bind-users mailing list