Name Resolution issue with one domain

Mark Andrews marka at isc.org
Tue Mar 20 22:23:57 UTC 2012 

Stupid firewall rules in front of the nameservers.  They block
traffic sent from port 53 which is the port lots of nameservers
used to send query traffic.  When will firewall administrators learn
that the source ports can be anything, that they are not significant,
and that blocking traffic based on the source port is stupid.

Mark

bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49)

; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
;; global options: +cmd
;; connection timed out; no servers could be reached
bsdi# 


In message <4F68FE29.6060301 at ngtech.co.il>, Eliezer Croitoru writes:
> On 20/03/2012 21:48, babu dheen wrote:
> > Dear Anad,
> >
> > Thanks for the advise. Will follow these guidelines in future for sure.
> > Kindly let me know how can i fix this problem?
> >
> > If its related remote domain NS issue, i shouldn't be able to resolve
> > the domain from anywhere continously. But i am able to resolve it from
> > internet without any issue. Problem is with only from our company BIND
> > DNS server only.
> > Below is the BIND GW Logs:
> > client 10.1.1.3#63581: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN A +E
> > client 10.1.1.3#63836: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN A +
> > client 10.1.1.3#62249: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN A +E
> > client 10.1.1.3#64215: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN AAAA +
> > Below is the sniffer logs:
> > 3.351081 10.0.0.1 --> 213.42.52.75 DNS Standard Query A
> > www.dubaiairport.com <http://www.dubaiairport.com/>
> > 10.761810 10.0.0.2 --> 213.42.75.79 DNS Standard Query A
> > www.dubaiairport.com <http://www.dubaiairport.com/>
> > Above sniffer logs clearly shows that we are not getting response packet
> > from www.dubaiairport.com <http://www.dubaiairport.com/> NS.
> > Regards
> > Babudheen
> >
> 
> if i do understand this dns 213.42.52.75 is your dns server?
> can you try localy (on the dns server) do a dig/nslookup/host?
> it can be routing issue also.
> 
> Regards,
> Eliezer
> 
> > ------------------------------------------------------------------------
> > *From:* Anand Buddhdev <anandb at ripe.net>
> > *To:* babu dheen <babudheen at yahoo.co.in>
> > *Cc:* Bind Users Mailing List <bind-users at lists.isc.org>
> > *Sent:* Monday, 19 March 2012 11:47 PM
> > *Subject:* Re: Name Resolution issue with one domain
> >
> > On 19/03/2012 21:28, babu dheen wrote:
> >
> > Babu,
> >
> >  > Dear Support,
> >  >
> >  > I am trying to resolve www.dubaiairport.com from my GW BIND server
> >  > as below. But not getting any output
> >  >
> >  > $ dig A www.dubaiairport.com
> >  > ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
> >  > ;; global options: printcmd
> >  > ;; connection timed out; no servers could be reached
> >  >
> >  >
> >  > Whereas, when i try through dubaiairport.com NS, i am getting the
> >  > response as below. What could be the problem. Any idea?
> >
> > It could be any number of things, and your vague question doesn't
> > provide any useful information for anyone to even begin guessing at the
> > problem. First of all, learn how to ask smart questions:
> >
> > http://www.catb.org/~esr/faqs/smart-questions.html
> > <http://www.catb.org/%7Eesr/faqs/smart-questions.html>
> >
> > Next, try looking at the logs of your BIND server; perhaps it has logged
> > the reason for this resolution failure.
> >
> > Regards,
> >
> > Anand Buddhdev
> > RIPE NCC
> >
> >
> >
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> -- 
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> elilezer <at> ngtech.co.il
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list