Querying directly a nameserver works, while forwarding not

Sten Carlsen stenc at s-carlsen.dk
Thu Dec 6 20:36:22 UTC 2012 

My next move would be to look for issues in the network, I would look at
what wireshark can sniff out. I would look for packets with errors. The
purpose is to find out if the network is mangling packets.


On 06/12/12 16:46, Daniele Imbrogino wrote:
> I'm testing new configuration on VirtualBox following the advice of
> not forwarding.
> Furthermore, I exclude any reference to DNSSEC.
>
> So, in these conditions and assuming an empty cache, if I query for a
> remote domain name, my server should query a root-server and then
> iterate, right?
> Well, Wireshark shows me outcoming queries and incoming responses
> to/from root-servers, but "dig www.apple.com <http://www.apple.com>"
> (for example) fails with a timeout.
>
> "syslog" has a lot of "DNS format error ... non-improving referral"
> and "error (FORMERR) resolving" entries.
>
> This is my very vary basic "named.conf" file
>
> options {
>         directory "/var/cache/bind";
> }
>
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> I've also updated "db.root" from ftp.internic.net/domain/db.cache
> <http://ftp.internic.net/domain/db.cache>
>
>
> 2012/12/5 Sten Carlsen <stenc at s-carlsen.dk <mailto:stenc at s-carlsen.dk>>
>
>
>     On 05/12/12 18:29, Hauke Lampe wrote:
>>     On 05.12.2012 14 <tel:05.12.2012%2014>:59, Daniele Imbrogino wrote:
>>
>>>     resolv.conf contains only 127.0.0.1 as nameserver.
>>>
>>>     The syslog contains a lot of errors as "insecurity proof
>>>     failed", "no valid
>>>     RRSIG", "got insecure response" that I don't understand.
>>
>>     Your forwarder probably doesn't handle DNSSEC responses well.
>>     Therefore your BIND cannot validate the answers and returns a
>>     failure code.
>>
>>     Either update the forwarder/enable DNSSEC (older versions of BIND
>>     9 require "dnssec-enable yes;" in the options clause), or disable
>>     DNSSEC validation in your local BIND (set "dnssec-validation no;").
>     Or consider not doing forwarding, that usually gives fewer
>     problems if possible.
>
>>
>>
>>
>>     Hauke
>>
>>     _______________________________________________
>>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>     unsubscribe from this list
>>
>>     bind-users mailing list
>>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>>     https://lists.isc.org/mailman/listinfo/bind-users
>
>     -- 
>     Best regards
>
>     Sten Carlsen
>
>     No improvements come from shouting:
>
>            "MALE BOVINE MANURE!!!" 
>
>
>     _______________________________________________
>     Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>     unsubscribe from this list
>
>     bind-users mailing list
>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
       "MALE BOVINE MANURE!!!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121206/40b6a650/attachment.html>

More information about the bind-users mailing list