DNS server works but keep getting "host unreachable resolving" error

Shi Jin jinzishuai at yahoo.com
Mon Sep 21 20:16:02 UTC 2009 

Hi there,

I've setup a DNS server running bind9 in my LAN and set it up to ISP provided DNS servers as the forwarders. Currently this DNS server works in the sense both internal and external names are resolved without any problem. However, for each DNS query, the syslog shows entries of 

dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN': 216.171.238.66#53
Where the IP 216.171.238.66 is the ISP provided DNS server. 

My named.conf.options looks like
forwarders {
                216.171.238.66;
                216.171.238.67;
         };
listen-on-v6 { none; };

When I run dig, I get
/etc/bind# dig

; <<>> DiG 9.5.1-P2 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48733
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       435420  IN      NS      K.ROOT-SERVERS.NET.
.                       435420  IN      NS      A.ROOT-SERVERS.NET.
.                       435420  IN      NS      H.ROOT-SERVERS.NET.
.                       435420  IN      NS      M.ROOT-SERVERS.NET.
.                       435420  IN      NS      E.ROOT-SERVERS.NET.
.                       435420  IN      NS      J.ROOT-SERVERS.NET.
.                       435420  IN      NS      D.ROOT-SERVERS.NET.
.                       435420  IN      NS      L.ROOT-SERVERS.NET.
.                       435420  IN      NS      G.ROOT-SERVERS.NET.
.                       435420  IN      NS      F.ROOT-SERVERS.NET.
.                       435420  IN      NS      B.ROOT-SERVERS.NET.
.                       435420  IN      NS      C.ROOT-SERVERS.NET.
.                       435420  IN      NS      I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     521820  IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     521820  IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     297362  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     297362  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     297362  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     297362  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     347113  IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     521820  IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     297362  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     297362  IN      A       128.63.2.53
H.ROOT-SERVERS.NET.     297362  IN      AAAA    2001:500:1::803f:235
I.ROOT-SERVERS.NET.     297362  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     330463  IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     330463  IN      AAAA    2001:503:c27::2:30

;; Query time: 0 msec
;; SERVER: 192.168.1.127#53(192.168.1.127)
;; WHEN: Mon Sep 21 14:11:54 2009
;; MSG SIZE  rcvd: 500

The IP 192.168.1.127 is the IP address of the LAN DNS server I've setup.
The has NAT firewall enabled so it is able to access to the ISP provided DNS server directly. However, it looks to me like the ISP provided DNS server (216.171.238.66) was not able to resolve any of the names and all the resolving is done at the top level servers. Is my understanding correct?

More importantly, is this the correct behavior I should expect and how to I solve the "host unreachable resolving" problem?

I appreciate you help. Thank you very much.


--
Shi Jin, PhD

More information about the bind-users mailing list