Dig, nslookup fail when referencing other server

[Barry Margolin]

In article <aamr3b$mlj at pub3.rc.vix.com>, VinceV <vpv at rdrop.com> wrote:
>
>The problem:
>
>On my local RH7.2 server which is primary DNS for my domains
>(ns.ak7.com) and is defined for split DNS (local 192.x.x.x and
>Requests from "outside").
>
>I can run
>dig -x199.26.172.34
>and it returns the correct answer rdrop.com
>
>However, if I try to use the primary rdrop.com name server
>dig -x199.26.172.34 @ns1.rdrop.com
>The request times out.
>The deprecated nslookup function exhibits similar behavior.
>
>Ping to ns1.rdrop.com is succesful
>traceroute ns1.rdrop.com fails (no route, default is UDP)
>traceroute -I ns1.rdrop.com is successful (-I force ICMP)
>
>It appears that BIND is working correctly on my local server since it
>resolved the domain request correctly.

Does it have a private copy of that reverse domain?  When I query
ns1.rdrop.com, I get the answer agora.rdrop.com, not rdrop.com.  If you're
getting a different answer from the local server, I think it must have its
own version of the domain (as part of the split DNS configuration).

>The network sits behind a Watchguard SOHO firewall that allows all
>outbound connections.  The RH 6.1 server that sits on the same switch
>resolves without a problem.
>
>Any ideas what would cause dig to fail?

I have no problem making that query, so I suspect it has something to do
with the firewall blocking UDP to ns1.rdrop.com; that would also explain
the traceroute failure. 

Can you put a sniffer at various points along the path, to see where the
packets are getting lost?

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.