Can Find Name Servers, but Can't Get result

[Kevin Darcy]

First of all, if you are using nslookup to troubleshoot this problem, please
don't. Use "dig" instead. When nslookup reports "Non-existent
host/domain" often what it _really_ means is that it got a failure for the
real query (e.g. a SERVFAIL) response and then an NXDOMAIN for the subsequent
"search algorithm"-generated query, e.g.
www.ameritrade.com.yourlocaldomain.com. This misreporting of errors is yet
another reason why nslookup sucks. If you can't use dig, then at least turn
on nslookup's debug mode so that you can see what it's really doing.

Once nslookup's veil of confusion is lifted from your eyes, if you see that
you are getting an NXDOMAIN (or 0 answers) for the www.ameritrade.com query,
then I'd dump the cache when the problem occurs. In the dump, you should be
able to see where the bad response is coming from.

By the way, do you have query-source set in your config? If so, then maybe a
firewall is interfering with your nameserver's queries. This would explain
why the query works when you point your lookup tool to the authoritative
nameserver yet your nameserver can't resolve the name -- the lookup tool is
probably using a different source port range for its outgoing queries than
the nameserver is.


-Kevin

Roy Rapoport wrote:

> On my client machine (running BIND 8.2.3, pointing to itself as the first
> nameserver in /etc/resolv.conf), trying to retrieve the IP address for
> www.ameritrade.com, I get Non/existent host/domain.  However, I can easily
> query for the nameservers for this domain and, when I query them from this
> machine, I get the correct IP address for this host.   I've read the BIND
> FAQ to no avail.
>
> How the heck do I debug this? How is it that I can find the authoritative
> NS's, they know the IP, but I can't get the IP?
>
> -roy