FW: "no data known" vrs "host not found"

admjcd admjcd at VOLPE.DOT.GOV
Tue Apr 2 14:41:15 UTC 2002 

Well it looks like you may of nailed it?  Army.mil does not return "ANY" or "all"  Querys untill after I do an mx query. Why does this do an "any" query anyway? So if I turn that off ( I should be all set? Or do I have to upgrade sendmail to get that feature?  Does the ANY query not belong in the latest rfc's for SMTP and DNS?

-----Original Message-----
From: James Griffin [mailto:agriffin at cpcug.org] 
Sent: Tuesday, March 26, 2002 5:40 PM
To: admjcd
Cc: 'comp-protocols-dns-bind at isc.org'
Subject: Re: FW: "no data known" vrs "host not found"


admjcd wrote:
> 
> The DNS servers are Bind 9 I think. Can I tell from nslookup from a 
> windows command prompt?
> 
Yes, use the following:

$ nslookup
Note:  nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead.  Run nslookup with the `-sil[ent]' option to prevent this message from appearing.
> server sparta.athena.inc       <-  PUT THE NAME OF YOUR SERVER HERE
Default server: sparta.athena.inc
Address: 192.168.1.8#53
> set type=txt
> set class=chaos
> version.bind.
Server:         sparta.athena.inc
Address:        192.168.1.8#53

version.bind    text = "9.2.1rc1"
>

The version of 'doc' that I used asked for version.bind of the name servers.  Here is what was reported (note that the reported version can be anything the hostmaster wants it to be):

dsn1.dot.gov.		qddns 3.0  -> BIND 8.2.2-P5/7 depending upon Build level
dns2.dot.gov.		qddns 3.0
rns.dot.gov.		qddns 3.0
nsdc.ba-dsg.net.	8.2.5-rel
auth120.ns.uu.net.	refused

Visit http://www.isc.org/products/BIND/bind-security.html for comments about 8.2.2-P[5-7].

> Yes, its sendmail and this is from a message header:  
> (8.8.8/1.1.22.3/21May99-0417PM) that says the version right?
> 

Assuming that the $v/$Z macros are not redefined, this is not good.  The 8.8.8 version was released in Oct. 1997 and there have been many security, anti-spam, and other imporvements since then.  I have not looked at all of the DNS/MX/CNAME related changes, but it is possible that there are fixes/changes related to the original problem.  For
example:

        If TryNullMXList is True and there is a temporary DNS failure
                looking up the hostname, requeue the message for a later
                attempt.  Problem noted by Ari Heikkinen of Pohjois-Savo
                Polytechnic.
        If a resolver ANY query is larger than the UDP packet size, the
                resolver will fall back to TCP.  However, some
                misconfigured firewalls black 53/TCP so the ANY lookup
                fails whereas an MX or A record might succeed. 
Therefore,
                don't fail on ANY queries.

Visit http://www.sendmail.org/faq/section2.html#2.7 and the following parpgraph (2.8).

> There are Two DNS servers with one set up as a backup. I am actually 
> the mail person and run our Exchange servers but our DNS peolple 
> handle the sendmail server. They do not like that I am pressing this 
> issue, but the customers call me when the mail fails.

They may not like my observations, but they need to apply maintenance to both the DNS and the sendmail services. 

Regards,
Jim

P.S. Apologies to Berry for not deleting your email address.  Sorry.
> 
> Also I did some research on "negative Caching" and found this :
> 
[snip this and 'doc' summaries]

More information about the bind-users mailing list