problems resolving domains unser NSxx.DOMAINCONTROL.COM - this problem i have too! :(((((

Warren Kumari warren at kumari.net
Wed Jun 23 15:25:31 UTC 2010 

On Jun 23, 2010, at 2:41 PM, Torsten wrote:

> Am Wed, 23 Jun 2010 11:01:29 +0200
> schrieb Erwin Lansing <erwin at FreeBSD.org>:
>
>> On Wed, Jun 23, 2010 at 05:51:24PM +1000, Mark Andrews wrote:
>>>
>>> In message
>>> <AANLkTinjqoRpLnyqj5tsO2TDwLt_ROPzDMrYMOIPHYTO at mail.gmail.com>,
>>> Piff writes:
>>>> Mark,
>>>>
>>>> more than once you have blamed firewal but I have tested without
>>>> firewall and NSxx.DOMAINCONTROL.COM do not answer to "dig
>>>> +dnssec".
>>>
>>> Wrong.  The nameserver DO answer these queries.
>>
>> Right, unfortunately.  All is fine on a freshly reloaded bind, but
>> after a while no answers are seen.  This is on Bind 9.4, 9.5 and 9.6.
>>>
>>> # dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
>>>
>>> ; <<>> DiG 9.3.6-P1 <<>> +dnssec @ns33.domaincontrol.com.
>>> replacementservices.com. ; (1 server found)
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41760
>>> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;replacementservices.com.       IN      A
>>>
>>> ;; ANSWER SECTION:
>>> replacementservices.com. 3600   IN      A       72.32.12.235
>>>
>>> ;; AUTHORITY SECTION:
>>> replacementservices.com. 3600   IN      NS
>>> ns33.domaincontrol.com. replacementservices.com. 3600   IN
>>> NS      ns34.domaincontrol.com.
>>>
>>> ;; Query time: 346 msec
>>> ;; SERVER: 216.69.185.17#53(216.69.185.17)
>>> ;; WHEN: Wed Jun 23 17:39:43 2010
>>> ;; MSG SIZE  rcvd: 109
>>>
>>> #
>>
>> # dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
>>
>> ; <<>> DiG 9.6.1-P3 <<>> +dnssec @ns33.domaincontrol.com.
>> replacementservices.com.
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>>
>>>
>>> Since you are not getting answers then there is a problem between
>>> you and the nameservers in question and as just about every one
>>> else is getting answers as well this puts the problem close to you.
>>> i.e. Your network or your ISP's network.  Something on the path is
>>> doing DPI tests and is rejecting the response.  Do you have a NAT
>>> that does DPI?
>>
>> No firewall, DPI, NAT or any form of filtering involved on our side,
>> direct peering with GLBX.
>>
>> -erwin
>>
>
> Since it's working quite okay for several locations on here, the
> problem may be found somewhere in between sites.
>
> I personally don't get any failures with the dig statement from above
> no matter how often I try.
>

<aol>
Me neither! Me neither!
</aol>

I also goes through AboveNet.

W


> Looking at a tracepath the last hop I see seems to be an edge router  
> of
> AboveNet Communications.
>
>
> tracepath ns33.domaincontrol.com
> 1:  eve.the-damian.de (195.180.9.245)                      0.132ms
> pmtu 1500
> 1:  vl100.cr20.isham.de.easynet.net (195.180.9.252)        0.888ms
> 1:  vl100.cr20.isham.de.easynet.net (195.180.9.252)        0.830ms
> 2:  ge1-1.br2.isham.de.easynet.net (212.224.4.90)          0.857ms
> 3:  ge3-0-2.gr10.isham.de.easynet.net (87.86.71.244)       0.762ms
> 4:  te0-0-0-0.er10.ixfra.de.easynet.net (87.86.77.247)    10.931ms
> asymm  7
> 5:  xe-1-2-0.mpr1.fra4.de.above.net (80.81.194.26)        10.407ms
> asymm  7
> 6:  xe-1-1-0.mpr1.cdg12.fr.above.net (64.125.24.6)        22.851ms
> 7:  xe-4-0-0.mpr1.lhr3.uk.above.net (64.125.31.249)       28.677ms
> asymm  9
> 8:  so-0-1-0.mpr2.dca2.us.above.net (64.125.27.165)       98.858ms
> asymm  9
> 9:  xe-0-3-0.cr2.dca2.us.above.net (64.125.29.25)        102.567ms
> asymm 10
> 10:  xe-0-1-0.er2.dca2.us.above.net (64.125.27.29)         98.730ms
> asymm 11
> 11:  xe-1-1-0.er2.iad10.above.net (64.125.26.242)          99.116ms
> asymm 13
> 12:  no reply
> 13:  no reply
> 14:  no reply
> 15:  no reply
> 16:  no reply
> 17:  no reply
> 18:  no reply
> 19:  no reply
> 20:  no reply
> 21:  no reply
> 22:  no reply
> 23:  no reply
> 24:  no reply
> 25:  no reply
> 26:  no reply
> 27:  no reply
> 28:  no reply
> 29:  no reply
> 30:  no reply
> 31:  no reply
>     Too many hops: pmtu 1500
>     Resume: pmtu 1500
>
>
>
>
> Ciao
> Torsten
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list