dig to a nameserver from a host in particular subnet fails

blrmaani blrmaani at gmail.com
Wed Dec 14 22:34:52 UTC 2011

Our email group have been complaining about a issue of email sent by
certain users bouncing and I started debugging and found out that
those users are using email-servers in subnet1. Emails sent out by
users in subnet2 were OK.

The email-client-hosts use dns-recursive-resolvers depending on their
location. The names being queried by email-client-hosts are external
names (not in our named config) and our recursive resolvers recurse
and gets response to these queries as expected.

Summary of my investigation:
# dns-recursive-resolver1  is in subnet1
# I execute this on dns-recursive-resolver1 and the query times out

dig @other-auth-nameserver name1.com. A    # TIMEOUT
dig @other-auth-nameserver name1.com. MX   # TIMEOUT

# dns-recursive-resolver2 is in subnet2
# I execute the following dig command on dns-recursive-resolver2 and
it returns response (A record) as
# expected.

dig @other-auth-nameserver name1.com. A    # OK - responds correctly
dig @other-auth-nameserver name1.com. MX   # OK - responds correctly

I spoke to the sysadmin who maintains 'other-auth-nameserver' and he
responded that they are NOT 'black-hole'ing or 'bogus'ing subnet1 in
named.conf on 'other-auth-nameserver'. Also, they don't have any
network ACL or firewall config to block DNS queries from subnet1.

What else should I be looking?

More information about the bind-users mailing list