Help with unresolvable domain (subdomain, actually)
Mike Bernhardt
bernhardt at bart.gov
Wed Mar 2 18:21:41 UTC 2011
What's really strange is that when we attempt a query, be it DIG or an
attempt to browse tools.cisco.com, they send some sort of query back to us
from/to UDP 53. We drop it at the firewall due to some sort of "sanity
check" so I can't see the contents. This is in addition to the SERVFAIL
message.
Although I get SERVFAIL, Kloth.net does not, even if we DIG the same server:
cax01-bb14-dcz01n-gss1.cisco.com
>From Kloth
; <<>> DiG 9.3.2 <<>> @cax01-bb14-dcz01n-gss1.cisco.com tools.cisco.com A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; ANSWER SECTION:
tools.cisco.com. 20 IN A 72.163.4.38
;; Query time: 131 msec
;; SERVER: 173.37.144.100#53(173.37.144.100)
;; WHEN: Wed Mar 2 19:15:04 2011
;; MSG SIZE rcvd: 49
>From Us
[root at ns1 ~]# dig -b 148.165.3.10 @cax01-bb14-dcz01n-gss1.cisco.com
tools.cisco.com
; <<>> DiG 9.4.3-P3 <<>> -b 148.165.3.10 @cax01-bb14-dcz01n-gss1.cisco.com
tools.cisco.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26463
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;tools.cisco.com. IN A
;; Query time: 45 msec
;; SERVER: 173.37.144.100#53(173.37.144.100)
;; WHEN: Wed Mar 2 10:15:31 2011
;; MSG SIZE rcvd: 33
So I wonder if the query they make is some kind of authentication attempt?
-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Tuesday, March 01, 2011 3:31 PM
To: Kevin Darcy
Cc: bind-users at isc.org
Subject: Re: Help with unresolvable domain (subdomain, actually)
In message <4D6D7268.1080305 at chrysler.com>, Kevin Darcy writes:
> I got a trouble ticket on this too.
>
> From the looks of things, Cisco is using GSSes to load-balance this
> site. GSSes return SERVFAIL if all of the resources behind the
> load-balancer are down (which it determines via a heartbeat mechanism).
> So I think this is a "simple" case of a website (or cluster) going down.
> It was down earlier today, then up again, as of this writing, it is down
> again.
>
> DNS doesn't really have a response code of "requested resource not
> available", so SERVFAIL is Cisco's closest approximation. It has the
> drawback, however, of often making other sorts of problems appear to be
> DNS problems. That's just a cross that we DNS admins have to bear...
>
> - Kevin
Then the load balancer should return default records or 0.0.0.0/:: to
indicate the name is good but doesn't currently have a address.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list