Some domains don't resolve.

Ezequiel Aguerre ezeaguerrelistas at gmail.com
Sat May 31 05:26:30 UTC 2008 

> NAT is already a big problem in itself.
Mmm... that's bad :(. However "dnsmasq" and the DNS server that comes
bundled with Windows 2003 work OK.

> Who is 10.0.0.254? The NAT router? Do you control it? Can you vouch
> for it? (Most CPE middleboxes are lousy.)

Yep, it's the NAT router. And yes, I'm in total control of it.

> I suggest to not use this sort of device as a forwarder.

Thanks for the advice, but no matter what forwarders I use, it's always
broken. I've tried with mi ISP's forwarders, and other DNS servers (those
from OpenDNS, and others), with no luck at all :(

> dig is much better for debugging

OK, Do you want me to use some special flags with dig?

$ dig www.google.com.ar @localhost

; <<>> DiG 9.4.2 <<>> www.google.com.ar @localhost
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4246
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.ar.             IN      A

;; Query time: 611 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 31 01:06:39 2008
;; MSG SIZE  rcvd: 35

$ dig www.google.com.ar ANY @localhost

; <<>> DiG 9.4.2 <<>> www.google.com.ar ANY @localhost
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57473
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com.ar.             IN      ANY

;; ANSWER SECTION:
www.google.com.ar.      82508   IN      CNAME   www.google.com.

;; AUTHORITY SECTION:
google.com.ar.          323916  IN      NS      ns1.google.com.
google.com.ar.          323916  IN      NS      ns3.google.com.
google.com.ar.          323916  IN      NS      ns2.google.com.
google.com.ar.          323916  IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         168902  IN      A       216.239.32.10
ns2.google.com.         168902  IN      A       216.239.34.10
ns3.google.com.         168902  IN      A       216.239.36.10
ns4.google.com.         168902  IN      A       216.239.38.10

;; Query time: 33 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 31 01:06:48 2008
;; MSG SIZE  rcvd: 199

$ dig www.google.com.ar @localhost

; <<>> DiG 9.4.2 <<>> www.google.com.ar @localhost
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5055
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 7

;; QUESTION SECTION:
;www.google.com.ar.             IN      A

;; ANSWER SECTION:
www.google.com.ar.      82504   IN      CNAME   www.google.com.
www.google.com.         600904  IN      CNAME   www.l.google.com.
www.l.google.com.       251     IN      A       74.125.47.99
www.l.google.com.       251     IN      A       74.125.47.103
www.l.google.com.       251     IN      A       74.125.47.104
www.l.google.com.       251     IN      A       74.125.47.147

;; AUTHORITY SECTION:
l.google.com.           86093   IN      NS      c.l.google.com.
l.google.com.           86093   IN      NS      g.l.google.com.
l.google.com.           86093   IN      NS      b.l.google.com.
l.google.com.           86093   IN      NS      d.l.google.com.
l.google.com.           86093   IN      NS      a.l.google.com.
l.google.com.           86093   IN      NS      f.l.google.com.
l.google.com.           86093   IN      NS      e.l.google.com.

;; ADDITIONAL SECTION:
a.l.google.com.         86093   IN      A       209.85.139.9
b.l.google.com.         86093   IN      A       64.233.179.9
c.l.google.com.         86093   IN      A       64.233.161.9
d.l.google.com.         86093   IN      A       66.249.93.9
e.l.google.com.         86093   IN      A       209.85.137.9
f.l.google.com.         86093   IN      A       72.14.235.9
g.l.google.com.         86093   IN      A       64.233.167.9

;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 31 01:06:52 2008
;; MSG SIZE  rcvd: 371

It does the same thing.

> Probably because the stupide and broken router/firewall had a problem
> with EDNS0 packets.

Interesting... I have just made a test bypassing the router, and I got the
same results...
This time I tried with BIND 9.5.0b2, after having no luck, I've added the
following to the configuration file:

options {
    ...
    edns false;
    edns-udp-size 512;
    ...
};

server xxx.xxx.xxx.xxx {
    edns false;
    edns-udp-size 512;
}

And still no luck :( (The IP is that of my ISP)
I commented out the "edns-udp-size" thinking it may be redundant and a
possible cause of error but it still doesn't work.

> EDNS0
> BIND nevertheless check them at startup (because hints file tend to be
> obsolete). This is called "priming".

Ok, thanks. I won't worry about this.

Anyway, I've bypassed the router and the problem persists, my ISP is using a
Mikrotik based solution doing NAT... so... in normal operation there are at
least two routers doing NAT, one over my control and the other on the ISP.
However, as I said earlier "dnsmasq" and the DNS server bundled with Windows
Server 2003 are working fine. Maybe is a broken rule on the ISP firewall...
but disabling EDNS had no effect... I don't know what other thing could be
wrong... I'm gonna try my exact configuration on a different computer under
another ISP, if it works... then it's probably my ISP :(

Thanks !!!

More information about the bind-users mailing list