Long root server queries

Jim Reid jim at rfc1035.com
Mon Jul 17 13:40:02 UTC 2000 

>>>>> "George" == George Lewis <GLEWIS at fcc.gov> writes:

    George> Hi, We recently upgraded to 8.2.2-p5. During some testing
    George> it appeared as though it was taking longer than what
    George> seemed "reasonable" to return a result on a query that
    George> had a bad domain name.  Further investigation showed
    George> that it was apparently querying all of the root servers
    George> before returning with a result. Setting up a test system
    George> and limiting it to one root server server didn't seem to
    George> change its behaviour. It is apparently still getting the
    George> complete list of root servers and querying them all. Our
    George> impression is that the first root server is not returning
    George> the "bad domain" info, or our server is not
    George> understanding or acting upon that info and is querying
    George> the next root server. 

A more likely explanation is that the queries are not getting to the
root name servers or their answers are not coming back. Read on.

    George> Shouldn't the first root server
    George> return the correct info assuming it's responding?

That depends on what you asked and your definition of "correct
answer". In general, root servers return referrals to other name
servers. These answers are correct, though they're not necessarily the
exact answer to the question that was originally asked.

    George> Would you have any idea as to what might be happening and
    George> how we might address it.

The behaviour you describe is very unusual. If the root name servers
were broken as you suggest, the internet would have stopped. Someone
might possibly have noticed that by now. :-)

So, your problem is likely to be a local one. [Where are the config
files, logs and debugging traces from the name server to back up your
hypothesis?] I suspect that you've been bitten by your firewall
configuration. BIND8 by default uses a random UDP port when querying
other name servers. In BIND4, those queries always came from port 53.
[You didn't say what you upgraded from: was it BIND4?] Maybe your
firewall is preventing those queries going out to the Internet? Or
it's stopping the replies from coming in? If so, either you change
your firewall/router setup or make the name server use a fixed port
number when querying another name server. The query-source clause in
the options{} statement can do this. You can even configure BIND8 name
servers to use port 53 for those queries, though it's probably better
if an unprivileged port number is chosen.

More information about the bind-users mailing list