Martin, what do you see if you do a packet capture on the host where you're running dig? How 'bout at the border of your network? Obviously traffic's not making it through, but where? Any sort of split routing paths that might be involved?<br>
<br>John<br><br><div class="gmail_quote">On Wed, Oct 31, 2012 at 8:54 AM, Martin McCormick <span dir="ltr"><<a href="mailto:martin@dc.cis.okstate.edu" target="_blank">martin@dc.cis.okstate.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I described a case where one of our remote campuses can't<br>
resolve a number of remote domains. One example is <a href="http://noaa.gov" target="_blank">noaa.gov</a>. It<br>
also successfully resolves random remote domains without<br>
seemingly any rime or reason.<br>
<br>
Here is a bad dig trace for <a href="http://noaa.gov" target="_blank">noaa.gov</a><br>
<br>
<br>
; <<>> DiG 9.7.7 <<>> @localhost +trace <a href="http://noaa.gov" target="_blank">noaa.gov</a><br>
; (2 servers found)<br>
;; global options: +cmd<br>
. 453464 IN NS <a href="http://b.root-servers.net" target="_blank">b.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://l.root-servers.net" target="_blank">l.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://a.root-servers.net" target="_blank">a.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://i.root-servers.net" target="_blank">i.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://j.root-servers.net" target="_blank">j.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://f.root-servers.net" target="_blank">f.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://g.root-servers.net" target="_blank">g.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://e.root-servers.net" target="_blank">e.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://h.root-servers.net" target="_blank">h.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://d.root-servers.net" target="_blank">d.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://c.root-servers.net" target="_blank">c.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://k.root-servers.net" target="_blank">k.root-servers.net</a>.<br>
. 453464 IN NS <a href="http://m.root-servers.net" target="_blank">m.root-servers.net</a>.<br>
;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 320 ms<br>
<br>
gov. 172800 IN NS <a href="http://b.gov-servers.net" target="_blank">b.gov-servers.net</a>.<br>
gov. 172800 IN NS <a href="http://a.gov-servers.net" target="_blank">a.gov-servers.net</a>.<br>
;; Received 133 bytes from 192.58.128.30#53(192.58.128.30) in 210 ms<br>
<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-e.noaa.gov" target="_blank">ns-e.noaa.gov</a>.<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-mw.noaa.gov" target="_blank">ns-mw.noaa.gov</a>.<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-nw.noaa.gov" target="_blank">ns-nw.noaa.gov</a>.<br>
<br>
This trace took several minutes since no successful<br>
resolution was made.<br>
<br>
Here is a good trace using our DNS.<br>
<br>
<br>
; <<>> DiG 9.8.1-P1 <<>> +trace @localhost <a href="http://noaa.gov" target="_blank">noaa.gov</a><br>
; (2 servers found)<br>
;; global options: +cmd<br>
. 369104 IN NS <a href="http://d.root-servers.net" target="_blank">d.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://j.root-servers.net" target="_blank">j.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://b.root-servers.net" target="_blank">b.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://g.root-servers.net" target="_blank">g.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://i.root-servers.net" target="_blank">i.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://e.root-servers.net" target="_blank">e.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://l.root-servers.net" target="_blank">l.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://m.root-servers.net" target="_blank">m.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://h.root-servers.net" target="_blank">h.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://f.root-servers.net" target="_blank">f.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://c.root-servers.net" target="_blank">c.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://a.root-servers.net" target="_blank">a.root-servers.net</a>.<br>
. 369104 IN NS <a href="http://k.root-servers.net" target="_blank">k.root-servers.net</a>.<br>
;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 497 ms<br>
<br>
gov. 172800 IN NS <a href="http://a.gov-servers.net" target="_blank">a.gov-servers.net</a>.<br>
gov. 172800 IN NS <a href="http://b.gov-servers.net" target="_blank">b.gov-servers.net</a>.<br>
;; Received 133 bytes from 192.112.36.4#53(192.112.36.4) in 439 ms<br>
<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-e.noaa.gov" target="_blank">ns-e.noaa.gov</a>.<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-mw.noaa.gov" target="_blank">ns-mw.noaa.gov</a>.<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-nw.noaa.gov" target="_blank">ns-nw.noaa.gov</a>.<br>
;; Received 133 bytes from 69.36.157.30#53(69.36.157.30) in 224 ms<br>
<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN A 140.90.200.21<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN A 140.172.17.21<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN A 129.15.96.21<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-e.noaa.gov" target="_blank">ns-e.noaa.gov</a>.<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-mw.noaa.gov" target="_blank">ns-mw.noaa.gov</a>.<br>
<a href="http://noaa.gov" target="_blank">noaa.gov</a>. 86400 IN NS <a href="http://ns-nw.noaa.gov" target="_blank">ns-nw.noaa.gov</a>.<br>
;; Received 181 bytes from 140.90.33.237#53(140.90.33.237) in 37 ms<br>
<br>
Barry Margolin writes:<br>
> I'm not sure what you mean by that sentence about getting authoritative<br>
> DNSs from X when it sbould be from Y. Can you post the actual dig?<br>
><br>
> BTW, @servername doesn't mean much when using +trace, since +trace<br>
> queries the servers listed in NS records, not a resolver.<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>John Miller<br>Systems Engineer<br>Brandeis University<br><a href="mailto:johnmill@brandeis.edu">johnmill@brandeis.edu</a><br>(781) 736-4619<br>