Some dns recursive resolution issues ..

vincent.blondel at ing.be vincent.blondel at ing.be
Mon Oct 20 15:44:43 UTC 2008


Stephane,

>> I just checked on our internet routers and the routes are correctly
>> announced in our bgp area.
>
>That was not my point: my point is that ugc.fr is too brittle: such a
>setup has probably a (may be several) single point of failure. So, in
>case of network trouble, it may be less robust that other domains,
>with DNS servers in several places.
>
>> On the other hand if I directly send the query to ns.dns7947.net. or
>> ns2.dns7947.net. this is working well but the normal query gives
>> problems.
>
>The recursive name server at your premises has a problem, then. Did
>you test with dig ON THE NAME SERVER, in order to use the same IP
>address? Did you check its log file? Does it has a fixed source port
>(a firewall somewhere may block packets with source port == 53)?

I finally found the problem. In my named.conf file I block some ip
ranges. This comes from a list I found on the net in the past.

acl "bogon" {

    # http://www.completewhois.com/bogons/data/bogons-cidr-iana.txt

    # List of IANA bogons (ip blocks not allocated by IANA to RIRs and
    # ips reserved for private and special use by IANA based on RFCs)
    # For more information please see
http://www.completewhois.com/bogons/
    # and the following ip4 information files:
    #   http://www.completewhois.com/iana-ipv4-addresses.txt
    #   htpt://www.completewhois.com/iana-ipv4-specialuse.txt
    # This file was last modified on Tue Apr 17 09:12:07 PDT 2007
    #
    # This file does not include the following additional iana reserved
blocks:
    #   10.0.0.0/8     - reserved for intranet local networks
    #   127.0.0.0/8    - reserved for local loop on each computer
    #   172.16.0.0/12  - reserved for intranet local networks
    #   192.168.0.0/16 - reserved for intranet local networks
    #   224.0.0.0/4    - used for multicast routing
    # All these ip blocks are commonly used for local ethernet or local
machine
    # and hence if you filter them you may accidently shut down your own
network
    # Please manually add to your configuration those of the above
blocks that
    # you know for certain are not used on your local network

    0.0.0.0/7;
    2.0.0.0/8;
    5.0.0.0/8;
    7.0.0.0/8;
    23.0.0.0/8;
    27.0.0.0/8;
    31.0.0.0/8;
    36.0.0.0/7;
    39.0.0.0/8;
    42.0.0.0/8;
    49.0.0.0/8;
    50.0.0.0/8;
    94.0.0.0/7;
    100.0.0.0/6;
    104.0.0.0/5;
    112.0.0.0/6;
    169.254.0.0/16;
    173.0.0.0/8;
    174.0.0.0/7;
    176.0.0.0/5;
    184.0.0.0/6;
    191.0.0.0/8;
    192.0.2.0/24;
    197.0.0.0/8;
    198.18.0.0/15;
    223.0.0.0/8;
    240.0.0.0/4;

    // CAUTION: If you are using RFC1918 netblocks on your network
    // remove those netblocks from this list of blackhole ACLs!
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
    224.0.0.0/4;
};

If you have a look on it you can notice ip range 177.x.x.x is blocked. I
also noticed that mentionned referenced URL are not responding any more
so I will remove this piece of config that seems to be not up to date
any more.

Many thks for your help.
Vincent.
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------




More information about the bind-users mailing list