Long root server queries
Jim Reid
jim at rfc1035.com
Mon Jul 17 13:40:02 UTC 2000
>>>>> "George" == George Lewis <GLEWIS at fcc.gov> writes:
George> Hi, We recently upgraded to 8.2.2-p5. During some testing
George> it appeared as though it was taking longer than what
George> seemed "reasonable" to return a result on a query that
George> had a bad domain name. Further investigation showed
George> that it was apparently querying all of the root servers
George> before returning with a result. Setting up a test system
George> and limiting it to one root server server didn't seem to
George> change its behaviour. It is apparently still getting the
George> complete list of root servers and querying them all. Our
George> impression is that the first root server is not returning
George> the "bad domain" info, or our server is not
George> understanding or acting upon that info and is querying
George> the next root server.
A more likely explanation is that the queries are not getting to the
root name servers or their answers are not coming back. Read on.
George> Shouldn't the first root server
George> return the correct info assuming it's responding?
That depends on what you asked and your definition of "correct
answer". In general, root servers return referrals to other name
servers. These answers are correct, though they're not necessarily the
exact answer to the question that was originally asked.
George> Would you have any idea as to what might be happening and
George> how we might address it.
The behaviour you describe is very unusual. If the root name servers
were broken as you suggest, the internet would have stopped. Someone
might possibly have noticed that by now. :-)
So, your problem is likely to be a local one. [Where are the config
files, logs and debugging traces from the name server to back up your
hypothesis?] I suspect that you've been bitten by your firewall
configuration. BIND8 by default uses a random UDP port when querying
other name servers. In BIND4, those queries always came from port 53.
[You didn't say what you upgraded from: was it BIND4?] Maybe your
firewall is preventing those queries going out to the Internet? Or
it's stopping the replies from coming in? If so, either you change
your firewall/router setup or make the name server use a fixed port
number when querying another name server. The query-source clause in
the options{} statement can do this. You can even configure BIND8 name
servers to use port 53 for those queries, though it's probably better
if an unprivileged port number is chosen.
More information about the bind-users
mailing list