BIND can't resolve with unreachable second NS

Bob Rahe bob at hobbes.dtcc.edu
Fri May 9 13:57:40 UTC 2008 

+------ On May 9,  8:30, Mark Andrews wrote:
|>
|>	Idiot with firewall.

  Well, a bit of an obsure answer... 8-) But... gave me a clue...  Turns
out, a LONG time ago (2002) we had uncommented this line in named.conf:

   /*	query-source address * port 53;   */

  So your first example got me thinking about that port # and I remembered
that line...  commented it back up and VIOLA!  It's working!

  Thanks,

Bob

|>
|>drugs# dig www.childcaremanager.com +norec @ns1.ccmturbo.com -b 0.0.0.0#53
|>
|>; <<>> DiG 9.3.4-P1 <<>> www.childcaremanager.com +norec @ns1.ccmturbo.com -b 0.0.0.0#53
|>; (1 server found)
|>;; global options:  printcmd
|>;; connection timed out; no servers could be reached
|>drugs# dig www.childcaremanager.com +norec @ns1.ccmturbo.com
|>
|>; <<>> DiG 9.3.4-P1 <<>> www.childcaremanager.com +norec @ns1.ccmturbo.com
|>; (1 server found)
|>;; global options:  printcmd
|>;; Got answer:
|>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30063
|>;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
|>
|>;; QUESTION SECTION:
|>;www.childcaremanager.com.      IN      A
|>
|>;; ANSWER SECTION:
|>www.childcaremanager.com. 0     IN      CNAME   childcaremanager.com.
|>childcaremanager.com.   3600    IN      A       69.9.147.35
|>
|>;; Query time: 213 msec
|>;; SERVER: 69.9.147.35#53(69.9.147.35)
|>;; WHEN: Fri May  9 08:29:57 2008
|>;; MSG SIZE  rcvd: 72
|>
|>drugs# 
|>
|>>   A puzzle...
|>> 
|>>   Solaris 10, BIND 9.4.2.
|>> 
|>>   We've been having a problem resolving a web site name.
|>> 
|>>   Trying to resolve www.childcaremanager.com.  Turns out that is a CNAME
|>> to childcaremanager.com.
|>> 
|>>   THAT domain claims to have 2 dns servers:
|>> 
|>>       ns1.ccmturbo.com   at 69.9.147.35
|>> and   ns2.ccmturbo.com   at 69.9.147.36
|>> 
|>>   But...  two interesting things.  From a different network I can find
|>> that childcaremanager.com actually is an A record to the 147.35
|>> address.  AND... the ns2 address does not respond.  In fact, if I try
|>> to ping it from both the other network and here I get:
|>> 
|>> hobbes% ping 69.9.147.36
|>> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
|>>  for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
|>> 36)
|>> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
|>>  for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
|>> 36)
|>> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
|>>  for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
|>> 36)
|>> 
|>> (and doing a traceroute, I see there's some odd routing loop where it bangs
|>> around two different addresses near it until the TTL expires. Again, from
|>> both networks.)
|>> 
|>> But for ns1 I get:
|>> 
|>> Chobbes% ping 69.9.147.35
|>> 69.9.147.35 is alive
|>> 
|>>   And... the upshot is, any nslookups I try seem to blackhole.  For
|>> whatever reason all of our nameservers seem to get hung up if that
|>> second ns isn't working.  Cause if I do a lookup directly via ns1 I can
|>> get an answer:
|>> 
|>> ; <<>> DiG 9.2.8-P1 <<>> @ns1.ccmturbo.com. www.childcaremanager.com. any
|>> ; (1 server found)
|>> ;; global options:  printcmd
|>> ;; Got answer:
|>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 910
|>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|>> 
|>> ;; QUESTION SECTION:
|>> ;www.childcaremanager.com.	IN	ANY
|>> 
|>> ;; ANSWER SECTION:
|>> www.childcaremanager.com. 0	IN	CNAME	childcaremanager.com.
|>> 
|>> ;; ADDITIONAL SECTION:
|>> childcaremanager.com.	3600	IN	A	69.9.147.35
|>> 
|>> ;; Query time: 104 msec
|>> ;; SERVER: 69.9.147.35#53(69.9.147.35)
|>> ;; WHEN: Mon May  5 09:52:54 2008
|>> ;; MSG SIZE  rcvd: 72
|>> 
|>>   Ideas?  Why do nameservers on another network (also BIND of various
|>> semi-recent vintage) seem to be able to resolve this but mine seem to
|>> blackhole on it?  We're running BIND 9.4.2 and some 9.2.8-P1 on unix
|>> (solaris 10 and 9) here.  I've googled, search Sun and sunmanagers and
|>> come up empty.
|>> 
|>>   I did find one reference from back when Solaris ran 4.x BIND about the
|>> resolver only looking at one NS it got back but that was claimed to be
|>> solved by using 'modern' sources.... Which one would think these are...
|>> 
|>> ???
|>> 
|>> Tnx,
|>> 
|>>   Bob
|>> 
|>> -- 
|>> ---------------------------------------------------------------------_------
|>> |Bob Rahe, MIEEE, bob at dtcc.edu (RWR50)   /    ASCII ribbon campaign ( )    |
|>> |Delaware Technical & Community College /      - against HTML email  X     |
|>> |Computer Center, Dover, Delaware      /                   & vCards / \    |
|>> ----------------------------------------------------------------------------
|>> 
|>-- 
|>Mark Andrews, ISC
|>1 Seymour St., Dundas Valley, NSW 2117, Australia
|>PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
+------ End of excerpt from Mark Andrews


-- 
---------------------------------------------------------------------_------
|Bob Rahe, MIEEE, bob at dtcc.edu (RWR50)   /    ASCII ribbon campaign ( )    |
|Delaware Technical & Community College /      - against HTML email  X     |
|Computer Center, Dover, Delaware      /                   & vCards / \    |
----------------------------------------------------------------------------

More information about the bind-users mailing list