Recursive queries fail if query source port is not fixed
Andrey G. Sergeev (AKA Andris)
andris at aernet.ru
Thu Aug 14 12:47:50 UTC 2008
Hello Hans,
Thu, 14 Aug 2008 14:05:21 +0200 Hans F. Nordhaug wrote:
>> Assuming that your name servers aren't authoritative for the, say,
>> yandex.ru, ku.dk and asahi.co.jp zones, please post here the
>> results of doing at least one command suggested below without the
>> query-source directive specified in your named.conf.
>>
>> dig images.yandex.ru. a +tra
> [cut]
>
> Thx for replying. I did a query for the a record of images.yandex.ru
> with and without the trace. With trace, I get a reply - without
> trace, I don't (see below). (Well, I do - put after 3-4 repeated
> queries.) I really don't get it.
What number of queries you've done with trace enabled?
> If I should guess, it must be dig sending the queries differently
> when tracing.
Yes. I suggest you to obtain a traffic dump between the g4.tibe.no and
the outside world while doind the queries without trace enabled.
> If it is the firewall (Cisco ASA 5510) being overwhelmed, I don't
> know where to look - I have tried...
> ; <<>> DiG 9.3.4-P1 <<>> @g4.tibe.no images.yandex.ru. a
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42214
^ ^^^^^^^^^^^^^^^^
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;images.yandex.ru. IN A
>
> ;; Query time: 1 msec
^^^^^^^^^^^^^^^^^^^^^^^
An interesting fact. Much like your query has been aborted and now you
should try to understand at which phase.
> ;; SERVER: 213.161.248.67#53(213.161.248.67)
> ;; WHEN: Thu Aug 14 13:57:13 2008
> ;; MSG SIZE rcvd: 34
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
More information about the bind-users
mailing list