Some domains don't resolve.
Ezequiel Aguerre
ezeaguerrelistas at gmail.com
Sat May 31 05:26:30 UTC 2008
> NAT is already a big problem in itself.
Mmm... that's bad :(. However "dnsmasq" and the DNS server that comes
bundled with Windows 2003 work OK.
> Who is 10.0.0.254? The NAT router? Do you control it? Can you vouch
> for it? (Most CPE middleboxes are lousy.)
Yep, it's the NAT router. And yes, I'm in total control of it.
> I suggest to not use this sort of device as a forwarder.
Thanks for the advice, but no matter what forwarders I use, it's always
broken. I've tried with mi ISP's forwarders, and other DNS servers (those
from OpenDNS, and others), with no luck at all :(
> dig is much better for debugging
OK, Do you want me to use some special flags with dig?
$ dig www.google.com.ar @localhost
; <<>> DiG 9.4.2 <<>> www.google.com.ar @localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4246
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com.ar. IN A
;; Query time: 611 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 31 01:06:39 2008
;; MSG SIZE rcvd: 35
$ dig www.google.com.ar ANY @localhost
; <<>> DiG 9.4.2 <<>> www.google.com.ar ANY @localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57473
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.google.com.ar. IN ANY
;; ANSWER SECTION:
www.google.com.ar. 82508 IN CNAME www.google.com.
;; AUTHORITY SECTION:
google.com.ar. 323916 IN NS ns1.google.com.
google.com.ar. 323916 IN NS ns3.google.com.
google.com.ar. 323916 IN NS ns2.google.com.
google.com.ar. 323916 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 168902 IN A 216.239.32.10
ns2.google.com. 168902 IN A 216.239.34.10
ns3.google.com. 168902 IN A 216.239.36.10
ns4.google.com. 168902 IN A 216.239.38.10
;; Query time: 33 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 31 01:06:48 2008
;; MSG SIZE rcvd: 199
$ dig www.google.com.ar @localhost
; <<>> DiG 9.4.2 <<>> www.google.com.ar @localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5055
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 7
;; QUESTION SECTION:
;www.google.com.ar. IN A
;; ANSWER SECTION:
www.google.com.ar. 82504 IN CNAME www.google.com.
www.google.com. 600904 IN CNAME www.l.google.com.
www.l.google.com. 251 IN A 74.125.47.99
www.l.google.com. 251 IN A 74.125.47.103
www.l.google.com. 251 IN A 74.125.47.104
www.l.google.com. 251 IN A 74.125.47.147
;; AUTHORITY SECTION:
l.google.com. 86093 IN NS c.l.google.com.
l.google.com. 86093 IN NS g.l.google.com.
l.google.com. 86093 IN NS b.l.google.com.
l.google.com. 86093 IN NS d.l.google.com.
l.google.com. 86093 IN NS a.l.google.com.
l.google.com. 86093 IN NS f.l.google.com.
l.google.com. 86093 IN NS e.l.google.com.
;; ADDITIONAL SECTION:
a.l.google.com. 86093 IN A 209.85.139.9
b.l.google.com. 86093 IN A 64.233.179.9
c.l.google.com. 86093 IN A 64.233.161.9
d.l.google.com. 86093 IN A 66.249.93.9
e.l.google.com. 86093 IN A 209.85.137.9
f.l.google.com. 86093 IN A 72.14.235.9
g.l.google.com. 86093 IN A 64.233.167.9
;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 31 01:06:52 2008
;; MSG SIZE rcvd: 371
It does the same thing.
> Probably because the stupide and broken router/firewall had a problem
> with EDNS0 packets.
Interesting... I have just made a test bypassing the router, and I got the
same results...
This time I tried with BIND 9.5.0b2, after having no luck, I've added the
following to the configuration file:
options {
...
edns false;
edns-udp-size 512;
...
};
server xxx.xxx.xxx.xxx {
edns false;
edns-udp-size 512;
}
And still no luck :( (The IP is that of my ISP)
I commented out the "edns-udp-size" thinking it may be redundant and a
possible cause of error but it still doesn't work.
> EDNS0
> BIND nevertheless check them at startup (because hints file tend to be
> obsolete). This is called "priming".
Ok, thanks. I won't worry about this.
Anyway, I've bypassed the router and the problem persists, my ISP is using a
Mikrotik based solution doing NAT... so... in normal operation there are at
least two routers doing NAT, one over my control and the other on the ISP.
However, as I said earlier "dnsmasq" and the DNS server bundled with Windows
Server 2003 are working fine. Maybe is a broken rule on the ISP firewall...
but disabling EDNS had no effect... I don't know what other thing could be
wrong... I'm gonna try my exact configuration on a different computer under
another ISP, if it works... then it's probably my ISP :(
Thanks !!!
More information about the bind-users
mailing list