Nslookup not working for external domain

Kevin Darcy kcd at chrysler.com
Thu Nov 18 19:55:48 UTC 2010

On 11/18/2010 2:18 PM, Matus UHLAR - fantomas wrote:
>>> On 17.11.10 11:10, Moore, Mark A. wrote:
>>>> nslookup www.cnn.com
>>>> ;; Got SERVFAIL reply from, trying next server
>> On 11/18/2010 5:16 AM, Matus UHLAR - fantomas wrote:
>>> This server apparently does not provide recursion for you.
> On 18.11.10 12:44, Kevin Darcy wrote:
>> The OP already found the problem - - apparently the hints file wasn't
>> being loaded properly.
> it was after my reply ;-)
>> However, for future reference in troubleshooting DNS problems through
>> interpretation of nslookup results, for the versions of nslookup I'm
>> familiar with, trying to do a lookup that requires recursion, from a
>> resolver that doesn't provide it, results in either
>> a) a goofy-looking referral response, if no searchlisting is being
>> performed, or
>> b) nslookup going off and doing searchlisted queries, and returning the
>> results of the *last* query it does (which is likely to be an NXDOMAIN
>> response, thus causing nslookup to mis-report the result of the overall
>> lookup as NXDOMAIN)
>> In neither case would it return SERVFAIL. That usually points to some
>> other root cause. My guess would have been that the resolver had no
>> connectivity to the Internet and had marked all of the root nameservers
>> as "lame". Mis-loading of the hints file apparently has the same
>> symptoms, although to be honest I don't think I've seen that before.
> Last versions of BIND do not even return root referrals to clients that are
> not allowed to recurse. Accesing hint zone is understood as recursion too.
> ...you may remember issue with flooding some servers with UDP responses to
> spoofed queries for "." some time ago...
> Have you checked with such server?
No, I haven't checked, but I would expect a REFUSED response in that case.

                             - Kevin

More information about the bind-users mailing list