DNS problems / unable to reach authoritative server?

Greg Chavez greg.chavez at gmail.com
Wed Sep 13 15:13:02 UTC 2006 

On 9/13/06, Brenckle, Nicholas <NBrenckle at dsl.net> wrote:
>
> I have a weird DNS problem where some of my DNS servers (customer
> resolvers) can see a domain, and some cant. From the ones that can,
> everything works fine. From the ones that don't, I get timeouts when
> doing a host or a dig, but I can request information from the auth DNS
> server for that domain without a problem. The question is, where in the
> chain is it failing to tell the server that doesn't work, where to get
> the information?

phila.gov runs *crazy* old BIND.  I mean version 4 somewhere.  My
government outfit had a big problem with it a few months back:

http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/7770697c13376c84/b1ec9d51c1089a85?lnk=gst&q=phila.gov&rnum=1#b1ec9d51c1089a85

I was remiss and never posted the solution.  But I will do that now.

At the time, we were running BIND 9.2.2 (upgrade to 9.3.2-P1 if you
haven't already!).  Mail to phila.gov was queuing up on our mail
relays because queries to that domain by our DNS forwarders were
timing out.  Queries were sent with a source port that, while
configured as random, was being deterministically set to 32768
(2^15... the max value of a 16-bit number):

  query-source address * port 53;

This by itself is not a problem and in fact is expected, documented
BIND behavior; to wit, we had no trouble sending and receiving
responses to DNS queries from virtually all other Internet domains our
users were hitting.   With little else left in our toolbox, however,
we changed this to use a static, unprivileged ports.  After that,
phila.gov queries started resolving our queues spilled forth.

  query-source address 8765 port 53;

Don't know whyfore this worked, but it did.  The true solution of
course, would be for phila.gov to enter the 21st century.  Oh well.
Hope this helps you.

> ---- working one
> [nbrenckle at ns1 ~]$ host www.phila.gov
> www.phila.gov has address 170.115.249.40
> [nbrenckle at ns1 ~]$ dig phila.gov
>
> ; <<>> DiG 9.2.4 <<>> phila.gov
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48731
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;phila.gov.                     IN      A
>
> ;; ANSWER SECTION:
> phila.gov.              18536   IN      A       170.115.249.40
>
> ;; AUTHORITY SECTION:
> phila.gov.              18536   IN      NS      dns2.phila.gov.
> phila.gov.              18536   IN      NS      dns.phila.gov.
>
> ;; Query time: 6 msec
> ;; SERVER: 209.87.64.70#53(209.87.64.70)
> ;; WHEN: Tue Sep 12 09:47:58 2006
> ;; MSG SIZE  rcvd: 80
>
> [nbrenckle at ns1 ~]$
>
> ---- not working one (but see last info  - 170.115.249.10 is the ip of
> dns2.phila.gov from the above dig)
>
> [nbrenckle at dnsr01 ~]$ host www.phila.gov
> ;; connection timed out; no servers could be reached
> [nbrenckle at dnsr01 ~]$ dig phila.gov
>
> ; <<>> DiG 9.2.4 <<>> phila.gov
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> [nbrenckle at dnsr01 ~]$ host www.phila.gov 170.115.249.10
> Using domain server:
> Name: 170.115.249.10
> Address: 170.115.249.10#53
> Aliases:
>
> www.phila.gov has address 170.115.249.40
> [nbrenckle at dnsr01 ~]$
>
>
>
>

More information about the bind-users mailing list