problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((

Erwin Lansing erwin at FreeBSD.org
Wed Jun 23 09:01:29 UTC 2010 

On Wed, Jun 23, 2010 at 05:51:24PM +1000, Mark Andrews wrote:
> 
> In message <AANLkTinjqoRpLnyqj5tsO2TDwLt_ROPzDMrYMOIPHYTO at mail.gmail.com>, Piff
>  writes:
> > Mark,
> > 
> > more than once you have blamed firewal but I have tested without
> > firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig +dnssec".
> 
> Wrong.  The nameserver DO answer these queries.

Right, unfortunately.  All is fine on a freshly reloaded bind, but after
a while no answers are seen.  This is on Bind 9.4, 9.5 and 9.6.
> 
> # dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
> 
> ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com. replacementservices.com.
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;replacementservices.com.       IN      A
> 
> ;; ANSWER SECTION:
> replacementservices.com. 3600   IN      A       72.32.12.235
> 
> ;; AUTHORITY SECTION:
> replacementservices.com. 3600   IN      NS      ns33.domaincontrol.com.
> replacementservices.com. 3600   IN      NS      ns34.domaincontrol.com.
> 
> ;; Query time: 346 msec
> ;; SERVER: 216.69.185.17#53(216.69.185.17)
> ;; WHEN: Wed Jun 23 17:39:43 2010
> ;; MSG SIZE  rcvd: 109
> 
> # 

# dig +dnssec @ns33.domaincontrol.com. replacementservices.com.

; <<>> DiG 9.6.1-P3 <<>> +dnssec @ns33.domaincontrol.com.
replacementservices.com.
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

> 
> Since you are not getting answers then there is a problem between
> you and the nameservers in question and as just about every one
> else is getting answers as well this puts the problem close to you.
> i.e. Your network or your ISP's network.  Something on the path is
> doing DPI tests and is rejecting the response.  Do you have a NAT
> that does DPI?

No firewall, DPI, NAT or any form of filtering involved on our side,
direct peering with GLBX.

-erwin

-- 
Erwin Lansing                       (o_ _o)       http://droso.org
Ceterum censeo                 \\\_\   /_///
Carthaginem esse delendam        <____) (____>    erwin at lansing.dk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100623/4a1bddd8/attachment.bin>

More information about the bind-users mailing list