Recursive queries not working
Kevin Darcy
kcd at chrysler.com
Mon Jan 23 22:51:44 UTC 2012
Offhand, it looks like you might have DNSSEC validation turned on (thus
making responses from the GTLD nameservers bigger than 512 bytes; note
that all of the GTLD-server responses in that tcpdump have truncation
flagged), your EDNS0 buffer tuned down to 512 bytes ("edns-udp-size
512", thus eliminating UDP as an option for those big responses), and
then something in your network is sending RSTs to every attempt at a
DNS/TCP connection (thus eliminating TCP as an option too).
Something's gotta give. You can't expect reasonable resolution while all
3 of those conditions prevail.
Note that your "dig"s don't have +dnssec, +bufsize=xxxxx, or +norec, so
they're really not an apples-to-apples comparison to what named itself
is generating.
- Kevin
On 1/23/2012 4:06 PM, Steven Vona wrote:
> I am posting here as a last resort and hope someone can help me.
>
> I am running RHEL6 and installed bind-chroot package. I have tried
> everything, and even posted to a linux forum I belong to for help.
> After three pages and a boat load of troubleshooting no resolution.
>
> Here is a link to the 3 page forum thread if your interested in seeing
> all that we tried to do. There is debug information and even tcpdump
> info in there.
> http://www.linuxquestions.org/questions/linux-server-73/bind-dns-recursion-now-working-924978/
>
> If anyone can help it would be greatly appreciated. If you need any
> more information please let me know.
>
>
> This DNS server does not answer recursive queries. Here is my config.
>
> options {
> directory "/var/named";
> allow-query { any; };
> recursion yes;
> edns-udp-size 512;
> listen-on-v6 { none; };
> };
> logging{
> channel query_log {
> file "ns1-bind.log" versions unlimited size 100m;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category xfer-in{ query_log; };
> category xfer-out{ query_log; };
> category update{ query_log; };
> category general{ query_log; };
> category queries{ query_log; };
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> key "dnsadmin" {
> algorithm hmac-md5;
> secret "pjbruihfeuhruehferfw=";
> };
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { dnsadmin; };
> };
>
>
> zone "." IN {
> type hint;
> file "named.ca <http://named.ca>";
> };
>
> include "/etc/named.rfc1912.zones";
>
>
>
>
> When I try to query google.com <http://google.com> it just hangs then
> returns a servfail:
> # dig @localhost google.com <http://google.com>
>
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @localhost
> google.com <http://google.com>
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58542
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;google.com <http://google.com>. IN A
>
> ;; Query time: 2695 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 23 16:01:27 2012
> ;; MSG SIZE rcvd: 28
>
>
> If I do a dig with +trace at the end it works:
> [root at ns1 etc]# dig @localhost google.com <http://google.com> +trace
>
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @localhost
> google.com <http://google.com> +trace
> ; (2 servers found)
> ;; global options: +cmd
> . 518342 IN NS d.root-servers.net
> <http://d.root-servers.net>.
> . 518342 IN NS c.root-servers.net
> <http://c.root-servers.net>.
> . 518342 IN NS b.root-servers.net
> <http://b.root-servers.net>.
> . 518342 IN NS a.root-servers.net
> <http://a.root-servers.net>.
> . 518342 IN NS l.root-servers.net
> <http://l.root-servers.net>.
> . 518342 IN NS f.root-servers.net
> <http://f.root-servers.net>.
> . 518342 IN NS g.root-servers.net
> <http://g.root-servers.net>.
> . 518342 IN NS j.root-servers.net
> <http://j.root-servers.net>.
> . 518342 IN NS e.root-servers.net
> <http://e.root-servers.net>.
> . 518342 IN NS h.root-servers.net
> <http://h.root-servers.net>.
> . 518342 IN NS i.root-servers.net
> <http://i.root-servers.net>.
> . 518342 IN NS m.root-servers.net
> <http://m.root-servers.net>.
> . 518342 IN NS k.root-servers.net
> <http://k.root-servers.net>.
> ;; Received 340 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
>
> com. 172800 IN NS a.gtld-servers.net
> <http://a.gtld-servers.net>.
> com. 172800 IN NS b.gtld-servers.net
> <http://b.gtld-servers.net>.
> com. 172800 IN NS c.gtld-servers.net
> <http://c.gtld-servers.net>.
> com. 172800 IN NS d.gtld-servers.net
> <http://d.gtld-servers.net>.
> com. 172800 IN NS e.gtld-servers.net
> <http://e.gtld-servers.net>.
> com. 172800 IN NS f.gtld-servers.net
> <http://f.gtld-servers.net>.
> com. 172800 IN NS g.gtld-servers.net
> <http://g.gtld-servers.net>.
> com. 172800 IN NS h.gtld-servers.net
> <http://h.gtld-servers.net>.
> com. 172800 IN NS i.gtld-servers.net
> <http://i.gtld-servers.net>.
> com. 172800 IN NS j.gtld-servers.net
> <http://j.gtld-servers.net>.
> com. 172800 IN NS k.gtld-servers.net
> <http://k.gtld-servers.net>.
> com. 172800 IN NS l.gtld-servers.net
> <http://l.gtld-servers.net>.
> com. 172800 IN NS m.gtld-servers.net
> <http://m.gtld-servers.net>.
> ;; Received 488 bytes from 199.7.83.42#53(l.root-servers.net
> <http://l.root-servers.net>) in 42 ms
>
> google.com <http://google.com>. 172800 IN NS
> ns2.google.com <http://ns2.google.com>.
> google.com <http://google.com>. 172800 IN NS
> ns1.google.com <http://ns1.google.com>.
> google.com <http://google.com>. 172800 IN NS
> ns3.google.com <http://ns3.google.com>.
> google.com <http://google.com>. 172800 IN NS
> ns4.google.com <http://ns4.google.com>.
> ;; Received 164 bytes from 192.54.112.30#53(h.gtld-servers.net
> <http://h.gtld-servers.net>) in 97 ms
>
> google.com <http://google.com>. 300 IN A 74.125.115.99
> google.com <http://google.com>. 300 IN A 74.125.115.106
> google.com <http://google.com>. 300 IN A 74.125.115.104
> google.com <http://google.com>. 300 IN A 74.125.115.103
> google.com <http://google.com>. 300 IN A 74.125.115.105
> google.com <http://google.com>. 300 IN A 74.125.115.147
> ;; Received 124 bytes from 216.239.32.10#53(ns1.google.com
> <http://ns1.google.com>) in 30 ms
>
> You have new mail in /var/spool/mail/root
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120123/aee2d242/attachment.html>
More information about the bind-users
mailing list