Secondary DNS question...
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Mon Jun 24 20:22:56 UTC 2013
dnsviz.net was able to get response from both...looking at the "Response" section for SOA shows some differences.
Let's see if I can copy/paste it...
Guess not
Responses for starionline.com/SOA
---------------------------------
Status Returned by
ns1 ns2
OK Y Y
RR count (Answer/Authority/Addtional) OK 1/0/1 1/2/3
Response size (bytes) OK 104 168
Though maybe the different RR counts are by design....for my own domain (which is working :)
Responses for ksu.edu/SOA
-------------------------
Status Returned by
ns-1 ns-2 ns-3 kic nic
RR count (Answer/Authority/Addtional OK 2/0/1 2/6/7 2/0/1 2/6/15 2/6/15
Response size (bytes) OK 248 1062 248 1830 1830
Interesting that kic/nic have additional information for my ns-# servers, while my servers don't provide additional information on kic/nic. But, then I've never really paid attention to that before I finally took some DNS training last December. Guess I had misunderstood the scope that a given server can provide additional information records for. My ns-1 & ns-3 have minimal responses set. Also my real master server is not ns-1 :)
Though before I turned on minimal responses...the first DDoS (that I know about) was directed only at ns-2. The big one hit all 3, hitting the limit of of our 2G pipe. Turns out our datacenter only has a 2G link to the core, but among the summer projects its to upgrade to 20G. Not in the loop on what the procera is licensed for (but last presentation it mentioned that it was licensed for 2G, there haven't been any presentations that I know of since the previous CISO retired...just over a year ago.)
Hadn't heard anything from kanren....
----- Original Message -----
> Interesting to note that querying for ANY does return an SOA. I
> can't
> explain that behavior.
>
> ================================
> C:\>dig ANY starionline.com @ns1.starionhost.net
>
> ; <<>> DiG 9.8.0-P1 <<>> ANY starionline.com @ns1.starionhost.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64321
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;starionline.com. IN ANY
>
> ;; ANSWER SECTION:
> starionline.com. 86400 IN SOA ns1.starionhost.net.
> info.starionhost.net. 2008122905 28800 7200 1209600
> 3600
> starionline.com. 86400 IN NS ns2.starionhost.net.
> starionline.com. 86400 IN NS ns1.starionhost.net.
> starionline.com. 86400 IN MX 20
> mailfoundry.starionhost.net.
> starionline.com. 86400 IN MX 10
> canit.starionhost.net.
> starionline.com. 86400 IN A 74.87.108.83
>
> ;; ADDITIONAL SECTION:
> ns1.starionhost.net. 86400 IN A 74.87.108.83
> ns2.starionhost.net. 86400 IN A 64.136.200.138
> canit.starionhost.net. 86400 IN A 74.62.79.198
> mailfoundry.starionhost.net. 86400 IN A 74.87.108.85
>
> ;; Query time: 86 msec
> ;; SERVER: 74.87.108.83#53(74.87.108.83)
> ;; WHEN: Mon Jun 24 07:38:33 2013
> ;; MSG SIZE rcvd: 255
>
>
> C:\>
>
>
> -----Original Message-----
> From: bind-users-bounces+frnkblk=iname.com at lists.isc.org
> [mailto:bind-users-bounces+frnkblk=iname.com at lists.isc.org] On Behalf
> Of
> Frank Bulk
> Sent: Saturday, June 22, 2013 8:56 PM
> To: 'SH Development'; bind-users at lists.isc.org
> Subject: RE: Secondary DNS question...
>
> stariononline.com has two NSes listed, ns1.starionhost.net
> [74.87.108.83]
> and ns2.starionhost.net [64.136.200.138]. But the first one does not
> seem
> to want to respond (http://goo.gl/s41wN and http://dnscheck.iis.se/
> and
> http://www.zonecut.net/dns/index.cgi are just a few examples) to a
> few of
> the online checkers. I checked with some others and it looks like
> you have
> no SOA set for for ns1.starionhost.net:
>
> ================================
> C:\>dig SOA starionline.com @ns1.starionhost.net
>
> ; <<>> DiG 9.8.0-P1 <<>> SOA starionline.com @ns1.starionhost.net
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> C:\>
> ================================
>
> Though the second one has one:
> ================================
> C:\>dig SOA starionline.com @ns2.starionhost.net
>
> ; <<>> DiG 9.8.0-P1 <<>> SOA starionline.com @ns2.starionhost.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7010
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;starionline.com. IN SOA
>
> ;; ANSWER SECTION:
> starionline.com. 86400 IN SOA ns1.starionhost.net.
> info.starionhost.net. 2008 3600
>
> ;; AUTHORITY SECTION:
> starionline.com. 86400 IN NS ns1.starionhost.net.
> starionline.com. 86400 IN NS ns2.starionhost.net.
>
> ;; ADDITIONAL SECTION:
> ns1.starionhost.net. 86400 IN A 74.87.108.83
> ns2.starionhost.net. 86400 IN A 64.136.200.138
>
> ;; Query time: 74 msec
> ;; SERVER: 64.136.200.138#53(64.136.200.138)
> ;; WHEN: Sat Jun 22 20:51:12 2013
> ;; MSG SIZE rcvd: 157
>
>
> C:\>
> ================================
> And confirmed here:
> http://dns.squish.net/traverses/79b8efe4a31e6ddfce28f6abac444601
>
> Frank
>
> -----Original Message-----
> From: bind-users-bounces+frnkblk=iname.com at lists.isc.org
> [mailto:bind-users-bounces+frnkblk=iname.com at lists.isc.org] On Behalf
> Of SH
> Development
> Sent: Thursday, June 20, 2013 10:03 PM
> To: bind-users at lists.isc.org
> Subject: Secondary DNS question...
>
> Our secondary DNS machine went down (and unnoticed for 24 hours).
>
> Today, we had multiple people calling about email that hadn't come
> in, and
> trouble with outgoing emails not going out.
>
> Our primary DNS was up the whole time. So my question is, why would
> my
> secondary being down, and only my primary being up cause so many
> problems?
> I thought the whole idea behind having two DNS servers on different
> networks
> was to never have a failure like this.
>
> My understanding was that when DNS is queried, the one that responds
> fastest
> is the information that is used. If the secondary is down, then the
> primary
> would by default always be fastest (and only).
>
> I think I reasonably understand basic DNS and the setup, but this has
> me
> thinking that something isn't set up right.
>
> Can anyone shed any light on what might have happened here? Could my
> primary not be responding as it should? All the tests I have run on
> it show
> that it is responding normally.
>
> Jeff
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
More information about the bind-users
mailing list