Nslookup not working for external domain

Kevin Darcy kcd at chrysler.com
Thu Nov 18 17:44:30 UTC 2010

On 11/18/2010 5:16 AM, Matus UHLAR - fantomas wrote:
> On 17.11.10 11:10, Moore, Mark A. wrote:
>> Subject: Nslookup not working for external domain
> oh, nslookup is not working? Sure it is working, your problem is not in
> nslookup.
>> We are running into a issue where one of our slave servers isn't resolving
>> non-local domain names.
> the term "slave" only applies for domains server is fetchying from its
> master. There's no "slave" for non-local domains.
>> For the two domains hosted on this server, we can resolve any entry.
>> However, if we try to do an nslookup to cnn, google, yahoo, etc. it fails.
>> We have turned off iptables and verified internet connectivity. Below is
>> the error we get. What other areas should we be looking at to
>> troubleshoot?
>> Thx in advance for any help given.
>> nslookup www.cnn.com
>> ;; Got SERVFAIL reply from, trying next server
> This server apparently does not provide recursion for you.
The OP already found the problem - - apparently the hints file wasn't 
being loaded properly.

However, for future reference in troubleshooting DNS problems through 
interpretation of nslookup results, for the versions of nslookup I'm 
familiar with, trying to do a lookup that requires recursion, from a 
resolver that doesn't provide it, results in either
a) a goofy-looking referral response, if no searchlisting is being 
performed, or
b) nslookup going off and doing searchlisted queries, and returning the 
results of the *last* query it does (which is likely to be an NXDOMAIN 
response, thus causing nslookup to mis-report the result of the overall 
lookup as NXDOMAIN)

In neither case would it return SERVFAIL. That usually points to some 
other root cause. My guess would have been that the resolver had no 
connectivity to the Internet and had marked all of the root nameservers 
as "lame". Mis-loading of the hints file apparently has the same 
symptoms, although to be honest I don't think I've seen that before.

                                         - Kevin

P.S. Nslookup sucks.

More information about the bind-users mailing list