Strange CNAME issue

seren seren at mellmo.com
Thu Jan 21 22:33:50 UTC 2010


Thanks for your response. I didn't know about the +trace option in dig. After some more searching, I believe you are correct about the long responses being related. The responses that fail all seem to exceed 512-bytes. Why this would happen in multiple locations is a mystery but perhaps our firewalls are configured similarly. I'll look into the firewall settings on my end, but since there may be other devices out there configured similarly I'll need to try and reduce my CNAMES to find into a 512-byte response or switch them to A records.

 -seren

On Jan 20, 2010, at 1:48 AM, Niall O'Reilly wrote:

> seren wrote:
>> Hi, I've run into some strange issues with BIND and CNAMES.
> 
> 	The examples you show indicate strange issues only with
> 	whatever name server code is running on your localhost.
> 	Nothing in your examples actually identify this as BIND.
> 
>> We're using BIND9 (on Ubuntu)
>> internally and have our external DNS hosted by NetworkSolutions. Occasionally I'll be able
>> to create a CNAME in NetworkSolutions that BIND is unable to resolve.
>> Using dig I notice it's doing a query for an A record,
> 
> 	This is the record type use by dig in default of a specific
> 	type on the command line.
> 
>> and in most cases this works even
>> if the entry is a CNAME. In the cases where it fails, I see either a timeout error or a
>> SERVFAIL.
> 
> 	Your local instance of named is respectively either not
> 	responding, or reporting an error.
> 
> 	Have you looked in your logs for more information?
> 	Have you tried 'dig +trace'?
> 
>> If I then do a dig query specifying a CNAME, I get a quick successful result
>> and subsequent queries to BIND succeed, until the record expires from the cache.
>> The records that fail don't seem to have anything in common besides them all being
>> CNAMES and longer names seeming to fail more. Both BIND9 and two windows-based DNS
>> servers fail with the exact same records, however Google (8.8.8.8) and several other
>> public DNS services resolve them fine.
> 
> 	I think you need to ask what's different between (on the one
> 	hand) your "BIND9" and windows-based name servers and (on the
> 	other) name servers which you tell us work: if not in the
> 	configuration, then in the environment.
> 
> 	Are all of your "failing" name servers behind the same firewall?
> 	If so, does the firewall allow DNS queries and responses over
> 	TCP as well as UDP?  Does the firewall perhaps break "long"
> 	responses?  I ask because I've noticed some truncation
> 	and fallback to TCP when I use 'dig +trace' to query for one of
> 	the names you've mentioned as failing.
> 
> 
> 	Best regards,
> 
> 	Niall O'Reilly
> 	University College Dublin IT Services
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100121/d1ebf60a/attachment.html>


More information about the bind-users mailing list