Problem resolving one particular domain

Danilo Godec danilo.godec at agenda.si
Wed Jul 27 07:59:32 UTC 2011


Hi,

I'm running three DNS servers (1 master, 2 slaves) running bind 9.7.3, 
hosting about 150 domains, while also providing DNS service for my network.

Recently a customer complained that they cannot send an email (they use 
my SMTP server) to a specific domain 'rabobank.com' - Postfix logged 
this error: 'Host or domain name not found.'

Initially I thought there was a problem with the domain, so I checked 
with 'dig' only to find that it really cannot resolve anything regarding 
this domain. Then I checked domain registration using 'whois' and it 
seemed OK.

So I used 'dig' to query my ISP's DNS server, which resolved the domain 
in question without a problem. For a quick fix I just configured my 
named to use forwarders.

But I would like to get to the bottom of this, so I did some more 
testing without forwarders. The domain is using three name servers:

> # dig +short ns rabobank.com @ns1.telemach.net
> ns2.rabobank.nl.
> ns.rabobank.nl.
> ns.nl.net.

Incidentally there is also the domain 'rabobank.nl' that uses those same 
servers:

> # dig +short ns rabobank.nl @ns1.telemach.net
> ns2.rabobank.nl.
> ns.nl.net.
> ns.rabobank.nl

Weirdness number 1 - I cannot resolve 'rabobank.com', yet I can resolve 
'rabobank.nl':

> # dig ns rabobank.com
>
> ; <<>> DiG 9.7.3-P1 <<>> ns rabobank.com
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached

> # dig ns rabobank.nl
>
> ; <<>> DiG 9.7.3-P1 <<>> ns rabobank.nl
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4961
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
>
> ;; QUESTION SECTION:
> ;rabobank.nl.                   IN      NS
>
> ;; ANSWER SECTION:
> rabobank.nl.            3188    IN      NS      ns.rabobank.nl.
> rabobank.nl.            3188    IN      NS      ns.nl.net.
> rabobank.nl.            3188    IN      NS      ns2.rabobank.nl.
>
> ;; ADDITIONAL SECTION:
> ns.nl.net.              85663   IN      A       193.78.240.1
> ns.rabobank.nl.         3032    IN      A       145.72.79.222
> ns2.rabobank.nl.        2879    IN      A       145.72.79.221
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jul 27 09:38:11 2011
> ;; MSG SIZE  rcvd: 135


Weirdness number 2 - using dig directly with their servers works:

> # dig ns rabobank.com @145.72.79.221
>
> ; <<>> DiG 9.7.3-P1 <<>> ns rabobank.com @145.72.79.221
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47023
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;rabobank.com.                  IN      NS
>
> ;; ANSWER SECTION:
> rabobank.com.           3600    IN      NS      ns2.rabobank.nl.
> rabobank.com.           3600    IN      NS      ns.nl.net.
> rabobank.com.           3600    IN      NS      ns.rabobank.nl.
>
> ;; Query time: 39 msec
> ;; SERVER: 145.72.79.221#53(145.72.79.221)
> ;; WHEN: Wed Jul 27 09:39:46 2011
> ;; MSG SIZE  rcvd: 99

I tried the same with all three servers. So I guess it's not a network 
problem...


I thought 'dig +trace' would give some answers, but it seems it doesn't 
even use my named to resolve the domain - instead it seems to talk 
directly to root server and the target server:

> # dig +trace ns rabobank.com
>
> ; <<>> DiG 9.7.3-P1 <<>> +trace ns rabobank.com
> ;; global options: +cmd
> .                       517503  IN      NS      m.root-servers.net.
> .                       517503  IN      NS      d.root-servers.net.
> .                       517503  IN      NS      g.root-servers.net.
> .                       517503  IN      NS      k.root-servers.net.
> .                       517503  IN      NS      j.root-servers.net.
> .                       517503  IN      NS      b.root-servers.net.
> .                       517503  IN      NS      h.root-servers.net.
> .                       517503  IN      NS      e.root-servers.net.
> .                       517503  IN      NS      l.root-servers.net.
> .                       517503  IN      NS      i.root-servers.net.
> .                       517503  IN      NS      a.root-servers.net.
> .                       517503  IN      NS      c.root-servers.net.
> .                       517503  IN      NS      f.root-servers.net.
> ;; Received 276 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
>
> com.                    172800  IN      NS      a.gtld-servers.net.
> com.                    172800  IN      NS      b.gtld-servers.net.
> com.                    172800  IN      NS      c.gtld-servers.net.
> com.                    172800  IN      NS      d.gtld-servers.net.
> com.                    172800  IN      NS      e.gtld-servers.net.
> com.                    172800  IN      NS      f.gtld-servers.net.
> com.                    172800  IN      NS      g.gtld-servers.net.
> com.                    172800  IN      NS      h.gtld-servers.net.
> com.                    172800  IN      NS      i.gtld-servers.net.
> com.                    172800  IN      NS      j.gtld-servers.net.
> com.                    172800  IN      NS      k.gtld-servers.net.
> com.                    172800  IN      NS      l.gtld-servers.net.
> com.                    172800  IN      NS      m.gtld-servers.net.
> ;; Received 490 bytes from 193.0.14.129#53(k.root-servers.net) in 42 ms
>
> rabobank.com.           172800  IN      NS      ns.rabobank.nl.
> rabobank.com.           172800  IN      NS      ns2.rabobank.nl.
> ;; Received 76 bytes from 192.31.80.30#53(d.gtld-servers.net) in 134 ms
>
> rabobank.com.           3600    IN      NS      ns.nl.net.
> rabobank.com.           3600    IN      NS      ns2.rabobank.nl.
> rabobank.com.           3600    IN      NS      ns.rabobank.nl.
> ;; Received 99 bytes from 145.72.79.222#53(ns.rabobank.nl) in 40 ms

I also tried fiddling with the 'edns-udp-size', but that didn't change a 
thing....


I also used 'tcpdump' to trace packets on my router's outbound interface 
and I see UDP packets going out:

> 09:53:23.643138 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  7984 
> [1au] A? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 5640, 
> len 71)
> 09:53:23.643608 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 13083 [1au] AAAA? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, 
> id 5641, len 72)
> 09:53:23.652644 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 36595 [1au] A? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, id 
> 5642, len 72)
> 09:53:23.664342 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 39678 [1au] AAAA? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, 
> id 5643, len 71)
> 09:53:23.680147 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  65295 
> [1au] A? ns4.nic.nl. ar: . OPT UDPsize=512 (39) (ttl 63, id 3123, len 67)
> 09:53:23.714178 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 65295*-% q: A? ns4.nic.nl. 1/0/1 ns4.nic.nl. A 95.142.99.212 ar: . OPT 
> UDPsize=4096 (55) (DF) (ttl 242, id 44797, len 83)
> 09:53:24.443378 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  54272 
> [1au] A? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 3124, 
> len 71)
> 09:53:24.444144 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  52158 
> [1au] AAAA? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, id 
> 3125, len 72)
> 09:53:24.453190 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  27942 
> [1au] A? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, id 3126, 
> len 72)
> 09:53:24.464938 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  63331 
> [1au] AAAA? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 
> 3127, len 71)
> 09:53:24.477335 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 54272*-% q: A? ns.rabobank.nl. 1/0/1 ns.rabobank.nl. A 145.72.79.222 
> ar: . OPT UDPsize=4096 (59) (DF) (ttl 242, id 44798, len 87)
> 09:53:24.477662 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 38139 [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 
> 5644, len 69)
> 09:53:24.478210 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 52158*-% q: AAAA? ns2.rabobank.nl. 0/1/1 ns: rabobank.nl. SOA 
> ns.rabobank.nl. name-it.rn.rabobank.nl. 2001087706 3600 600 1209600 
> 600 ar: . OPT UDPsize=4096 (94) (DF) (ttl 242, id 44799, len 122)
> 09:53:24.487420 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 27942*-% q: A? ns2.rabobank.nl. 1/0/1 ns2.rabobank.nl. A 145.72.79.221 
> ar: . OPT UDPsize=4096 (60) (DF) (ttl 242, id 44800, len 88)
> 09:53:24.499399 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 63331*-% q: AAAA? ns.rabobank.nl. 0/1/1 ns: rabobank.nl. SOA 
> ns.rabobank.nl. name-it.rn.rabobank.nl. 2001087706 3600 600 1209600 
> 600 ar: . OPT UDPsize=4096 (90) (DF) (ttl 242, id 44801, len 118)
> 09:53:24.621135 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  58122 
> [1au] AAAA? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 
> 3128, len 71)
> 09:53:24.655239 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 58122*-% q: AAAA? ns.rabobank.nl. 0/1/1 ns: rabobank.nl. SOA 
> ns.rabobank.nl. name-it.rn.rabobank.nl. 2001087706 3600 600 1209600 
> 600 ar: . OPT UDPsize=4096 (90) (DF) (ttl 242, id 44802, len 118)
> 09:53:25.278468 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  
> 20564 [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 
> 22314, len 69)
> 09:53:26.879203 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 62265 [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 
> 5645, len 69)
> 09:53:28.480190 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  5708 
> [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 22315, 
> len 69)
> 09:53:31.682125 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 22613 MX? rabobank.com. (30) (ttl 63, id 5646, len 58)
> 09:53:34.883990 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  
> 33010 MX? rabobank.com. (30) (ttl 63, id 22316, len 58)
> 09:53:41.287865 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
> 64414 MX? rabobank.com. (30) (ttl 63, id 5647, len 58)
> 09:53:47.691600 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  
> 32401 MX? rabobank.com. (30) (ttl 63, id 22317, len 58)

If I try to resolve 'rabobank.nl', I only see these packets:

> 09:54:40.319835 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  31758 
> [1au] MX? rabobank.nl. ar: . OPT UDPsize=512 (40) (ttl 63, id 3129, 
> len 68)
> 09:54:40.353814 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
> 31758*- q: MX? rabobank.nl. 1/0/1 rabobank.nl. MX mail01.rabobank.nl. 
> 5 ar: . OPT UDPsize=4096 (63) (DF) (ttl 242, id 55891, len 91)

AND I get the response.


Soooo... Any ideas?



    Danilo




More information about the bind-users mailing list