resolving-problem

John Wingenbach bind at wingenbach.org
Tue Jul 23 16:56:41 UTC 2013


Don't confuse dig +trace with what is happening or not at your name 
server.  When trace is enabled, dig performs the queries needed itself 
from the location the dig is run.  So, in other words, if your system is 
not allowed to send or receive DNS packets, then you'll never be able to 
perform a resolution and you will get the error noted below.  Any and 
all recursion performed by name servers on your behalf will mean 
different behaviour vs a +trace.

To correctly determine where the resolution is failing, the dig needs to 
be run from the outside (closest to the internet) inward.  Do not bother 
using +trace when your system is not by default performing the entire 
resolution.  When you find the system which is failing to resolve the 
name, then you know it is a problem w/ that system and it's next step 
towards the internet.

-- John


On 7/23/2013 12:35 PM, Shawn Bakhtiar wrote:
> Do you run your name servers from behind a firewall, or is your 
> firewall (iptables) turned on?
>
> We run our name servers from behind a firewall, my network computers 
> give the same problem when I run dig +trace www.fransiplus.com 
> <http://www.fransiplus.com/>
>
> The only place I can run the dig +trace www.fransiplus.com without 
> failing is on the external authoritative servers.
>
> There is a good explanation of what this fails here:
> https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;CategoryID=21;ItemID=75
>
> But I think this is a different problem, than not being able to 
> resolve the fransiplus.com <http://www.fransiplus.com/> from your PC
>
>
>
> ------------------------------------------------------------------------
> From: mejaz at cyberia.net.sa
> To: sjcarr at gmail.com
> Subject: RE: resolving-problem
> Date: Tue, 23 Jul 2013 11:36:46 +0300
> CC: bind-users at lists.isc.org
>
> Thank you so much for your email and support,
>
> Pls, See, the dig + trace output when use ns1.nesma.net.sa,   at the 
> end it say connection timedout. so please can you to find out the 
>  problem is from where???
>
> [root at ns1 ~]# dig +trace www.fransiplus.com 
> <http://www.fransiplus.com/>, ...
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> +trace 
> www.fransiplus.com
>
> ;; global options: +cmd
>
> . 504930  IN NS      j.root-servers.net.
>
> .              504930  IN NS      c.root-servers.net.
>
> . 504930  IN NS      a.root-servers.net.
>
> . 504930  IN NS      e.root-servers.net.
>
> . 504930  IN NS      f.root-servers.net.
>
> . 504930  IN NS      k.root-servers.net.
>
> . 504930  IN NS      g.root-servers.net.
>
> . 504930  IN NS      l.root-servers.net.
>
> . 504930  IN NS      i.root-servers.net.
>
> . 504930  IN NS      d.root-servers.net.
>
> . 504930  IN NS      m.root-servers.net.
>
> . 504930  IN      NS b.root-servers.net.
>
> . 504930  IN NS      h.root-servers.net.
>
> ;; Received 512 bytes from 212.119.64.2#53(212.119.64.2) in 5388 ms
>
> com. 172800  IN NS      m.gtld-servers.net.
>
> com.      172800  IN NS      c.gtld-servers.net.
>
> com. 172800  IN NS      i.gtld-servers.net.
>
> com. 172800  IN NS      a.gtld-servers.net.
>
> com. 172800  IN NS      l.gtld-servers.net.
>
> com. 172800  IN NS      g.gtld-servers.net.
>
> com. 172800  IN NS      d.gtld-servers.net.
>
> com. 172800  IN NS      k.gtld-servers.net.
>
> com. 172800  IN NS      f.gtld-servers.net.
>
> com. 172800  IN NS      b.gtld-servers.net.
>
> com. 172800  IN NS      e.gtld-servers.net.
>
> com. 172800  IN NS      h.gtld-servers.net.
>
> com. 172800  IN      NS j.gtld-servers.net.
>
> ;; Received 508 bytes from 192.33.4.12#53(192.33.4.12) in 1789 ms
>
> fransiplus.com. 172800  IN NS      ns1.alfransi.com.sa.
>
> fransiplus.com. 172800  IN NS      ns2.alfransi.com.sa.
>
> ;; Received 87 bytes from 192.5.6.30#53(192.5.6.30) in 202 ms
>
> ;; connection timed out; no servers could be reached
>
> Ejaz
>
> ------------------------------------------------------------------------
>
> *From:*Steven Carr [mailto:sjcarr at gmail.com]
> *Sent:* Sunday, July 21, 2013 3:09 PM
> *To:* Ejaz
> *Cc:* Bind users
> *Subject:* Re: resolving-problem
>
> So the logs would seem to indicate that the server responded to your 
> PC, the only way you can see exactly what happened with that response 
> is with traffic captures on the name server and your PC.
>
> Steve
>
>
> On 21 Jul 2013, at 12:52, "Ejaz" <mejaz at cyberia.net.sa 
> <mailto:mejaz at cyberia.net.sa>> wrote:
>
> I can resolve yahoo and here the snippet of logs,
>
> 21-Jul-2013 14:46:11.119 queries: info: client 212.119.65.13#2007: 
> query: yahoo.com.cyberia.net.sa IN A + (212.71.32.19)
>
> 21-Jul-2013 14:46:11.122 queries: info: client 212.119.65.13#2008: 
> query: yahoo.com <http://yahoo.com> IN A + (212.71.32.19)
>
> But, Where as
>
> I can't resolve fransiplus, here is the logs.
>
> 21-Jul-2013 14:46:19.135 queries: info: client 212.119.65.13#2009: 
> query: fransiplus.com.cyberia.net.sa IN A + (212.71.32.19)
>
> 21-Jul-2013 14:46:19.138 queries: info: client 212.119.65.13#2010: 
> query: fransiplus.com <http://fransiplus.com> IN A + (212.71.32.19)
>
> I didin't see any difference.
>
> Ejaz
>
>
> _______________________________________________ Please visit 
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list bind-users mailing list bind-users at lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130723/2dc39ff1/attachment-0001.html>


More information about the bind-users mailing list