Intermittent NXDOMAIN for a name we are forwarding
blrmaani at gmail.com
Mon Feb 29 05:25:09 UTC 2016
On Sunday, February 21, 2016 at 8:46:19 PM UTC-8, Mark Andrews wrote:
> In message <2f868c2b-d04b-4caf-abd7-8176352ccfa5 at googlegroups.com>, blrmaani wr
> > On Friday, February 19, 2016 at 5:09:02 PM UTC-8, blrmaani wrote:
> > > We have a DNS setup where we forward a name in one domain to 5 external nam
> > eservers. We see NXDOMAIN error intermittently (once in couple of weeks). How
> > do I debug this issue?
> > >
> > > I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in "Una
> > ssociated entries" when the problem happens.
> > >
> > > Any advice to troubleshoot this issue is greatly appreciated.
> > >
> > > Thanks
> > > Blr
> > the cache dump also has this entry (myname.mydomain.com is name I am interest
> > ed in)
> > myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN
> > Which probably means if anyone requests for myname.mydomain.com, they will be
> > handed NXDOMAIN for upto 10324 seconds from now..
> > Our current work around is to restart named (which cache) or we could do a 'r
> > ndc flush'.
> > Question: Is there a BIND option to say 'Don't cache myname.mydomain.com for
> > NXDOMAIN error code?'
> No. Fix the source of the NXDOMAIN. Ask all the external nameservers
> for "myname.mydomain.com type666" and see what they respond with. If
> it is NXDOMAIN then you have the source(s) if the NXDOMAIN.
> dig @server myname.mydomain.com type666
> This is a case of Garbage In (NXDOMAIN) - Garbage Out (NXDOMAIN).
> > Alternatively, I can have a local query for this and flush cache if error cod
> > e is NXDOMAIN, but is hacky.. I would like a config option
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> > from this list
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Thanks a lot for the responses ..
I ran dig several times in a loop querying for the name with type=type666 and see only SERVFAIL. The NXDOMAIN occurs approx once in 2 weeks (per incident report). I guess I have to run several iterations of queries to see NXDOMAIN..
I see this in the cache dump:
myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN
<SOA line for the above domain here>
More information about the bind-users