Domain Not Resolving

Cathy Almond cathya at isc.org
Thu Nov 23 18:01:18 UTC 2017


On 22/11/2017 14:12, Ron Wingfield wrote:
> . . .well, I've received a lot of comment from several people, _most
> quite helpful and appreciated_; . . .some rather critical and
> condescending.  Regardless, I'll just pursue this resolve while using
> other resources .  (BTW, under consideration, "
> https://www.iana.org/help/nameserver-requirements
> <https://www.iana.org/help/nameserver-requirements>".)
> 
> Thanks again, RW

As everyone has said, the reason DNS resolution isn't working is because
your DNS servers aren't responding to DNS queries on UDP port 53 - as
can be seen here:

http://dnsviz.net/d/archaxis.net/WhcDMQ/dnssec/

(dnsviz.net is not only useful for troubleshooting dnssec problems).

The delegation to archaxis.net is present in the net. zone - so this
isn't something that your registrar has broken (although they don't know
about the other two nameserver names alpha and bravo, but since they all
point to the same IP address, adding them isn't going to make any
significant difference to your DNS service anyway, and it's certainly
not why it isn't working now).

The problem might be in routers and firewalls (e.g. blocking DNS
traffic).  You can confirm if that is so or not by using dig on the
server itself to its external address (162.202.233.81) or to the
loopback interface.  If the server responds locally, then (assuming you
haven't changed your configuration at all), then problem is not with
BIND and you need to research further afield.

** I find that I can ping 162.202.233.81 - this means that *something*
is responding on that address but that something might not be your
server (also worth checking for).

One good question to explore would be what might have changed on 3
November elsewhere in your network infrastructure - updates to routers,
firewalls, new equipment installed, new DHCP servers brought up, new
subnets added to DHCP servers and so on..

===

Once you've resolved why your nameservers aren't reachable, for whatever
reason(s) that might be, everyone who has exhorted you to upgrade the
version of BIND you're running is correct to do so - you're vulnerable
to several defects, some quite nasty.  Please do consider upgrading.

If this domain is not important to you (as in, it's not one that is
integral to a commercial or business service), then it probably doesn't
matter that you have only one nameserver serving it and that
occasionally it's unavailable, particularly if the services being
provided are also hosted on that same machine (so if the machine is
'out' it doesn't matter that the DNS is also 'out').

On the other hand, if you're expecting to have services for
archiaxis.net available 24x7 then you do absolutely need more resiliency
in your authoritative DNS.

But that I leave with you to consider...

Cathy


More information about the bind-users mailing list