Issue with dns resolution for www.ssa.gov
Nick Tait
nick at tait.net.nz
Sun Sep 4 05:17:31 UTC 2022
On 2/09/22 08:09, Bhangui, Sandeep - BLS CTR via bind-users wrote:
> # nslookup _www.ssa.gov_ <http://www.ssa.gov>
> ;; Got SERVFAIL reply from 127.0.0.1, trying next server
> Server: 198.6.1.1
> Address: 198.6.1.1#53
> Non-authoritative answer:
Hi Sandeep.
This looks like when you use nslookup it is using 127.0.0.1 as your DNS
server, but when you use dig it isn't. Do you have systemd on that
machine? If so, I suspect your requests using nslookup are going to the
systemd-resolved stub resolver?
FYI I know that there were issues with the stub resolver and DNSSEC
lookups, but I don't recall exactly what the issues were and so I'm not
sure if those limitations have been resolved by now?
If this is your situation, then you may want to consider disabling the
stub resolver? Have a look at "man resolved.conf" and in particular the
option you want to set is "DNSStubListener=no". The preferred way to do
this is to create a .conf file with this in
/etc/systemd/resolved.conf.d/ directory, e.g.:
$ cat /etc/systemd/resolved.conf.d/00-nick.conf
[Resolve]
FallbackDNS=192.168.20.195 192.168.20.196 192.168.20.197
DNSSEC=yes
DNSStubListener=no
After editing the configuration run "sudo systemctl restart
systemd-resolved".
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220904/529e0814/attachment.htm>
More information about the bind-users
mailing list