What is the deal on missing "Authority Section" and "additional section" from google's DNS servers?
Ted Mittelstaedt
tedm at ipinc.net
Wed Jul 11 01:24:54 UTC 2012
Hi All,
I manage an ISP that runs BIND 9.6-ESV-R7-P1 (to be fair it was
running 9.6-ESV-R6 until an hour ago but I'm not that dumb to
post the location of an unpatched nameserver to the mailing list)
One of our customers reported that she was having problems with her
mailserver not sending mail to comcast.com users. When she switched to
using Google's open DNS servers or opendns's servers, the problem went
away.
No other customer reported this and I see no problem with our own
mailservers.
In looking at the output of my own servers, I see data in
authority and additional sections. In looking at data from the
output of those dns servers, I do not. Since only comcast.com was
affected, and they have a very large amount of additional data in
the response, I am theorizing that her firewall thinks the DNS
response query packet is too large and is trashing it. Either that
or there's a network layer problem that is trashing UDP packets.
I can't seem to find an option to turn off additional data. How
does Google and OpenDNS do it? WHY do they do it?
Dig's that show what I mean follow:
C:\dig>dig @8.8.8.8 -t MX comcast.com
; <<>> DiG 9.3.2 <<>> @8.8.8.8 -t MX comcast.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 556
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;comcast.com. IN MX
;; ANSWER SECTION:
comcast.com. 533 IN MX 5 mx1.comcast.com.
comcast.com. 533 IN MX 5 mx4.comcast.com.
comcast.com. 533 IN MX 5 mx3.comcast.com.
;; Query time: 109 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 10 18:18:43 2012
;; MSG SIZE rcvd: 89
C:\dig>
C:\dig>dig @resolver1.opendns.com -t MX comcast.com
; <<>> DiG 9.3.2 <<>> @resolver1.opendns.com -t MX comcast.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;comcast.com. IN MX
;; ANSWER SECTION:
comcast.com. 567 IN MX 5 mx1.comcast.com.
comcast.com. 567 IN MX 5 mx4.comcast.com.
comcast.com. 567 IN MX 5 mx3.comcast.com.
;; Query time: 93 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jul 10 18:20:24 2012
;; MSG SIZE rcvd: 89
C:\dig>
C:\dig>
C:\dig>dig @dns1.ipinc.net -t MX comcast.com
; <<>> DiG 9.3.2 <<>> @dns1.ipinc.net -t MX comcast.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 315
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 13
;; QUESTION SECTION:
;comcast.com. IN MX
;; ANSWER SECTION:
comcast.com. 600 IN MX 5 mx4.comcast.com.
comcast.com. 600 IN MX 5 mx1.comcast.com.
comcast.com. 600 IN MX 5 mx3.comcast.com.
;; AUTHORITY SECTION:
comcast.com. 1712 IN NS dns104.comcast.net.
comcast.com. 1712 IN NS dns102.comcast.net.
comcast.com. 1712 IN NS dns101.comcast.net.
comcast.com. 1712 IN NS dns103.comcast.net.
comcast.com. 1712 IN NS dns105.comcast.net.
;; ADDITIONAL SECTION:
mx1.comcast.com. 3600 IN A 76.96.32.244
mx3.comcast.com. 1712 IN A 69.241.43.117
mx4.comcast.com. 1712 IN A 69.241.43.118
dns101.comcast.net. 1680 IN A 68.87.29.164
dns101.comcast.net. 1680 IN AAAA 2001:558:1002:a:68:87:29:164
dns102.comcast.net. 1680 IN A 68.87.85.132
dns102.comcast.net. 1680 IN AAAA 2001:558:1004:7:68:87:85:132
dns103.comcast.net. 1680 IN A 68.87.76.228
dns103.comcast.net. 1680 IN AAAA 2001:558:1014:c:68:87:76:228
dns104.comcast.net. 1680 IN A 68.87.68.244
dns104.comcast.net. 1680 IN AAAA 2001:558:100a:5:68:87:68:244
dns105.comcast.net. 1680 IN A 68.87.72.244
dns105.comcast.net. 1680 IN AAAA 2001:558:100e:5:68:87:72:244
;; Query time: 156 msec
;; SERVER: 65.75.192.10#53(65.75.192.10)
;; WHEN: Tue Jul 10 18:17:24 2012
;; MSG SIZE rcvd: 473
C:\dig>
More information about the bind-users
mailing list