problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((
Torsten
toto at the-damian.de
Wed Jun 23 12:41:26 UTC 2010
Am Wed, 23 Jun 2010 11:01:29 +0200
schrieb Erwin Lansing <erwin at FreeBSD.org>:
> On Wed, Jun 23, 2010 at 05:51:24PM +1000, Mark Andrews wrote:
> >
> > In message
> > <AANLkTinjqoRpLnyqj5tsO2TDwLt_ROPzDMrYMOIPHYTO at mail.gmail.com>,
> > Piff writes:
> > > Mark,
> > >
> > > more than once you have blamed firewal but I have tested without
> > > firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig
> > > +dnssec".
> >
> > Wrong. The nameserver DO answer these queries.
>
> Right, unfortunately. All is fine on a freshly reloaded bind, but
> after a while no answers are seen. This is on Bind 9.4, 9.5 and 9.6.
> >
> > # dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
> >
> > ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com.
> > replacementservices.com. ; (1 server found)
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760
> > ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;replacementservices.com. IN A
> >
> > ;; ANSWER SECTION:
> > replacementservices.com. 3600 IN A 72.32.12.235
> >
> > ;; AUTHORITY SECTION:
> > replacementservices.com. 3600 IN NS
> > ns33.domaincontrol.com. replacementservices.com. 3600 IN
> > NS ns34.domaincontrol.com.
> >
> > ;; Query time: 346 msec
> > ;; SERVER: 216.69.185.17#53(216.69.185.17)
> > ;; WHEN: Wed Jun 23 17:39:43 2010
> > ;; MSG SIZE rcvd: 109
> >
> > #
>
> # dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
>
> ; <<>> DiG 9.6.1-P3 <<>> +dnssec @ns33.domaincontrol.com.
> replacementservices.com.
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> >
> > Since you are not getting answers then there is a problem between
> > you and the nameservers in question and as just about every one
> > else is getting answers as well this puts the problem close to you.
> > i.e. Your network or your ISP's network. Something on the path is
> > doing DPI tests and is rejecting the response. Do you have a NAT
> > that does DPI?
>
> No firewall, DPI, NAT or any form of filtering involved on our side,
> direct peering with GLBX.
>
> -erwin
>
Since it's working quite okay for several locations on here, the
problem may be found somewhere in between sites.
I personally don't get any failures with the dig statement from above
no matter how often I try.
Looking at a tracepath the last hop I see seems to be an edge router of
AboveNet Communications.
tracepath ns33.domaincontrol.com
1: eve.the-damian.de (195.180.9.245) 0.132ms
pmtu 1500
1: vl100.cr20.isham.de.easynet.net (195.180.9.252) 0.888ms
1: vl100.cr20.isham.de.easynet.net (195.180.9.252) 0.830ms
2: ge1-1.br2.isham.de.easynet.net (212.224.4.90) 0.857ms
3: ge3-0-2.gr10.isham.de.easynet.net (87.86.71.244) 0.762ms
4: te0-0-0-0.er10.ixfra.de.easynet.net (87.86.77.247) 10.931ms
asymm 7
5: xe-1-2-0.mpr1.fra4.de.above.net (80.81.194.26) 10.407ms
asymm 7
6: xe-1-1-0.mpr1.cdg12.fr.above.net (64.125.24.6) 22.851ms
7: xe-4-0-0.mpr1.lhr3.uk.above.net (64.125.31.249) 28.677ms
asymm 9
8: so-0-1-0.mpr2.dca2.us.above.net (64.125.27.165) 98.858ms
asymm 9
9: xe-0-3-0.cr2.dca2.us.above.net (64.125.29.25) 102.567ms
asymm 10
10: xe-0-1-0.er2.dca2.us.above.net (64.125.27.29) 98.730ms
asymm 11
11: xe-1-1-0.er2.iad10.above.net (64.125.26.242) 99.116ms
asymm 13
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500
Ciao
Torsten
More information about the bind-users
mailing list