Two DNS Servers inside a firewall

ListAcc listacc at ocosa.com
Fri Sep 5 02:06:50 UTC 2008 

BTW I ran ethereal earlier. That's what I thought so I increase the 
datagram size on my pix firewall from 512 to 4096 and it's still the 
name thing.

Kevin Darcy wrote:
> FORMERR is strange. Generally speaking, you should not be seeing FORMERR 
> in queries between 2 different BIND instances.
>
> It's looking increasingly to me like a bad NAT/PAT device, mangling your 
> packets. Maybe it doesn't understand EDNS0 (?) My next step would 
> probably be to run a packet trace/capture, although, on the off-chance 
> that it's EDNS0-related, you might try turning that off and see if it 
> makes a difference.
>
>                                                                          
>    - Kevin
>
> ListAcc wrote:
>   
>> Kevin,
>>
>> The problem is server1 has a set of customers and server2 has a set of 
>> customers.  Each server is auth for their respective customers.  
>> Customers on server2 can not reach customers on server1 and vice 
>> versa.  I have logging on but can not see anything that's strange...
>>
>> 04-Sep-2008 15:06:07.169 client 192.168.0.22#64168: query: 
>> mail.customer2.com IN A +
>> 04-Sep-2008 15:06:07.169 createfetch: mail.customer2.com A
>> 04-Sep-2008 15:06:07.170 client 127.0.0.1#2129: query: 
>> mail.customer2.com IN A +E
>> 04-Sep-2008 15:06:07.170 FORMERR resolving 'mail.customer2.com/A/IN': 
>> 127.0.0.1#53
>>
>> See my logging in named.conf
>>
>> logging {
>>      channel default_syslog {
>>            // Send most of the named messages to syslog.
>>            syslog local2;
>>            severity debug;
>>      };
>>      channel audit_log {
>>            // Send the security related messages to a separate file.
>>            file "/var/named/named.log";
>>            severity debug;
>>            print-time yes;
>>      };
>>      category default { default_syslog; };
>>      category general { default_syslog; };
>>      category security { audit_log; default_syslog; };
>>      category config { default_syslog; };
>>      category resolver { audit_log; };
>>      category xfer-in { audit_log; };
>>      category xfer-out { audit_log; };
>>      category notify { audit_log; };
>>      category client { audit_log; };
>>      category network { audit_log; };
>>      category update { audit_log; };
>>      category queries { audit_log; };
>>      category lame-servers { audit_log; };
>> };
>>
>> On these servers I did not issue the view command in named.conf I have 
>> not had time to break down these servers like that yet I have two more 
>> being built to be implemented as such though.
>>
>> Kevin Darcy wrote:
>>     
>>> OK, so is the *real* problem here that your authoritative zones can't 
>>> be resolved from anywhere except the authoritative servers themselves?
>>>
>>> Turn on query logging to see if the queries are even getting to the 
>>> correct servers, and, if so, what view is being matched.
>>>
>>> You mentioned "translation" in an earlier message, so I'm thinking 
>>> you might have some NAT and/or PAT going on, in which case you might 
>>> also want to capture or trace packets "to or from UDP port 53". There 
>>> might be some surprising discoveries to be made there.
>>>
>>>                                                                          
>>>                            -Kevin
>>>
>>> P.S. wizart1.com resolves for me, by the way, although it took over 3 
>>> seconds on the first attempt.
>>>
>>> ListAcc wrote:
>>>  
>>>       
>>>> Chris,
>>>>
>>>> I have added 127.0.0.1 to the recursion list on both server nothing. 
>>>> Also if you nslookup from remote client computers you can not 
>>>> resolve the domains either it says DNS timeout....
>>>>
>>>> Chris Buxton wrote:
>>>>      
>>>>         
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> In the header of the response to the second 'dig' command, note the 
>>>>> 'flags' section. The 'ra' flag is not present.
>>>>>
>>>>> In your named.conf, in the 'options' statement block, check your 
>>>>> 'allow-recursion' statement. This is most likely the culprit. Your 
>>>>> query is coming from 127.0.0.1, and that address is probably not 
>>>>> listed in the allow-recursion ACL.
>>>>>
>>>>> Chris Buxton
>>>>> Professional Services
>>>>> Men & Mice
>>>>>
>>>>> On Sep 4, 2008, at 2:16 PM, ListAcc wrote:
>>>>>
>>>>>          
>>>>>           
>>>>>> Hello,
>>>>>>
>>>>>> For the life of me I can not find the details of the problem:  I have
>>>>>> two servers in question, both are authoritative/cache servers.  One
>>>>>> server is auth for a  few zones and the other one for a few zones 
>>>>>> due to
>>>>>> a split hosting environment.  Running Bind 9.3.5-P2 and Bind 
>>>>>> 9.3.4-P1 on
>>>>>> CentOS.  For this example I will identify them as server 1 and server
>>>>>> 2.  Also I have checked the logs nothing.
>>>>>>
>>>>>> Server 1 can not resolve domains at Server 2 and vice versa.  It 
>>>>>> worked
>>>>>> before I am not sure what happed.  I thought it was the root hints 
>>>>>> so I
>>>>>> updated and not the culprit. When I issue a dig here is the output
>>>>>>
>>>>>>
>>>>>> [root at server2 ~]# dig company.com
>>>>>>
>>>>>> ; <<>> DiG 9.3.4-P1 <<>> company.com
>>>>>> ;; global options:  printcmd
>>>>>> ;; connection timed out; no servers could be reached
>>>>>>
>>>>>>
>>>>>> [root at server1 ~]# dig company2.com
>>>>>>
>>>>>> ; <<>> DiG 9.3.5-P2 <<>> company2.com
>>>>>> ;; global options:  printcmd
>>>>>> ;; Got answer:
>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6067
>>>>>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 2
>>>>>>
>>>>>> ;; QUESTION SECTION:
>>>>>> ;wizart1.com.                   IN      A
>>>>>>
>>>>>> ;; AUTHORITY SECTION:
>>>>>> com.                    140357  IN      NS      j.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      k.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      l.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      m.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      a.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      b.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      c.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      d.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      e.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      f.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      g.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      h.gtld-servers.net.
>>>>>> com.                    140357  IN      NS      i.gtld-servers.net.
>>>>>>
>>>>>> ;; ADDITIONAL SECTION:
>>>>>> h.gtld-servers.net.     52569   IN      A       192.54.112.30
>>>>>> m.gtld-servers.net.     108692  IN      A       192.55.83.30
>>>>>>
>>>>>> ;; Query time: 1 msec
>>>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>>>>> ;; WHEN: Thu Sep  4 14:39:35 2008
>>>>>> ;; MSG SIZE  rcvd: 285
>>>>>>
>>>>>>
>>>>>> The zones have public IP addresses so the translation should work and
>>>>>> resolve if using either server as a resolver.  Both servers will 
>>>>>> resolve
>>>>>> the domains they are auth for any other domain not hosted on the 
>>>>>> server
>>>>>> except the ones on each others server if this makes sense.
>>>>>>
>>>>>> Thanks in advanced.
>>>>>>
>>>>>> Otis
>>>>>>
>>>>>>
>>>>>>               
>>>>>>             
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.4.8 (Darwin)
>>>>>
>>>>> iEYEARECAAYFAkjAVkAACgkQ0p/8Jp6Boi38VACfacM3feAJN/x3cmsF3dgRowhi
>>>>> V4gAoJv9sz723/ZK2Z7HSY6KC5jfZEY/
>>>>> =DT5y
>>>>> -----END PGP SIGNATURE-----
>>>>>           
>>>>>           
>>>>       
>>>>         
>>>   
>>>       
>>
>>     
>
>
>

More information about the bind-users mailing list