BIND can't resolve with unreachable second NS
Bob Rahe
bob at hobbes.dtcc.edu
Fri May 9 13:57:40 UTC 2008
+------ On May 9, 8:30, Mark Andrews wrote:
|>
|> Idiot with firewall.
Well, a bit of an obsure answer... 8-) But... gave me a clue... Turns
out, a LONG time ago (2002) we had uncommented this line in named.conf:
/* query-source address * port 53; */
So your first example got me thinking about that port # and I remembered
that line... commented it back up and VIOLA! It's working!
Thanks,
Bob
|>
|>drugs# dig www.childcaremanager.com +norec @ns1.ccmturbo.com -b 0.0.0.0#53
|>
|>; <<>> DiG 9.3.4-P1 <<>> www.childcaremanager.com +norec @ns1.ccmturbo.com -b 0.0.0.0#53
|>; (1 server found)
|>;; global options: printcmd
|>;; connection timed out; no servers could be reached
|>drugs# dig www.childcaremanager.com +norec @ns1.ccmturbo.com
|>
|>; <<>> DiG 9.3.4-P1 <<>> www.childcaremanager.com +norec @ns1.ccmturbo.com
|>; (1 server found)
|>;; global options: printcmd
|>;; Got answer:
|>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30063
|>;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
|>
|>;; QUESTION SECTION:
|>;www.childcaremanager.com. IN A
|>
|>;; ANSWER SECTION:
|>www.childcaremanager.com. 0 IN CNAME childcaremanager.com.
|>childcaremanager.com. 3600 IN A 69.9.147.35
|>
|>;; Query time: 213 msec
|>;; SERVER: 69.9.147.35#53(69.9.147.35)
|>;; WHEN: Fri May 9 08:29:57 2008
|>;; MSG SIZE rcvd: 72
|>
|>drugs#
|>
|>> A puzzle...
|>>
|>> Solaris 10, BIND 9.4.2.
|>>
|>> We've been having a problem resolving a web site name.
|>>
|>> Trying to resolve www.childcaremanager.com. Turns out that is a CNAME
|>> to childcaremanager.com.
|>>
|>> THAT domain claims to have 2 dns servers:
|>>
|>> ns1.ccmturbo.com at 69.9.147.35
|>> and ns2.ccmturbo.com at 69.9.147.36
|>>
|>> But... two interesting things. From a different network I can find
|>> that childcaremanager.com actually is an A record to the 147.35
|>> address. AND... the ns2 address does not respond. In fact, if I try
|>> to ping it from both the other network and here I get:
|>>
|>> hobbes% ping 69.9.147.36
|>> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
|>> for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
|>> 36)
|>> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
|>> for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
|>> 36)
|>> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
|>> for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
|>> 36)
|>>
|>> (and doing a traceroute, I see there's some odd routing loop where it bangs
|>> around two different addresses near it until the TTL expires. Again, from
|>> both networks.)
|>>
|>> But for ns1 I get:
|>>
|>> Chobbes% ping 69.9.147.35
|>> 69.9.147.35 is alive
|>>
|>> And... the upshot is, any nslookups I try seem to blackhole. For
|>> whatever reason all of our nameservers seem to get hung up if that
|>> second ns isn't working. Cause if I do a lookup directly via ns1 I can
|>> get an answer:
|>>
|>> ; <<>> DiG 9.2.8-P1 <<>> @ns1.ccmturbo.com. www.childcaremanager.com. any
|>> ; (1 server found)
|>> ;; global options: printcmd
|>> ;; Got answer:
|>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 910
|>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|>>
|>> ;; QUESTION SECTION:
|>> ;www.childcaremanager.com. IN ANY
|>>
|>> ;; ANSWER SECTION:
|>> www.childcaremanager.com. 0 IN CNAME childcaremanager.com.
|>>
|>> ;; ADDITIONAL SECTION:
|>> childcaremanager.com. 3600 IN A 69.9.147.35
|>>
|>> ;; Query time: 104 msec
|>> ;; SERVER: 69.9.147.35#53(69.9.147.35)
|>> ;; WHEN: Mon May 5 09:52:54 2008
|>> ;; MSG SIZE rcvd: 72
|>>
|>> Ideas? Why do nameservers on another network (also BIND of various
|>> semi-recent vintage) seem to be able to resolve this but mine seem to
|>> blackhole on it? We're running BIND 9.4.2 and some 9.2.8-P1 on unix
|>> (solaris 10 and 9) here. I've googled, search Sun and sunmanagers and
|>> come up empty.
|>>
|>> I did find one reference from back when Solaris ran 4.x BIND about the
|>> resolver only looking at one NS it got back but that was claimed to be
|>> solved by using 'modern' sources.... Which one would think these are...
|>>
|>> ???
|>>
|>> Tnx,
|>>
|>> Bob
|>>
|>> --
|>> ---------------------------------------------------------------------_------
|>> |Bob Rahe, MIEEE, bob at dtcc.edu (RWR50) / ASCII ribbon campaign ( ) |
|>> |Delaware Technical & Community College / - against HTML email X |
|>> |Computer Center, Dover, Delaware / & vCards / \ |
|>> ----------------------------------------------------------------------------
|>>
|>--
|>Mark Andrews, ISC
|>1 Seymour St., Dundas Valley, NSW 2117, Australia
|>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
+------ End of excerpt from Mark Andrews
--
---------------------------------------------------------------------_------
|Bob Rahe, MIEEE, bob at dtcc.edu (RWR50) / ASCII ribbon campaign ( ) |
|Delaware Technical & Community College / - against HTML email X |
|Computer Center, Dover, Delaware / & vCards / \ |
----------------------------------------------------------------------------
More information about the bind-users
mailing list