Split DNS zone not resolving some public addresses
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Nov 20 21:43:48 UTC 2002
>
> Running BIND 8.3.3 on NT (just dl'd 8.3.4).
>
> I've recently become aware that from inside our firewall our private
PIX firewalls drop EDNS responses bigger than 512 bytes. The
names in question sometimes result in answers that are bigger
` than 512 bytes (depends on the cache contents).
> DNS server can resolve most but not all domains. For example, I can
> get to www.yahoo.com. Yesterday, when I clicked through to their
> financial charting pages, I could bring up the majority of the page
> from finance.yahoo.com, but I couldn't resolve chart.yahoo.com and get
> the actual charts. Today, I can't seem to resolve finance.yahoo.com.
> There are other similar problems.
>
> My public DNS server can resolve all the problem names, so I suspect
> my BIND is set up wrong (maybe it's my firewall).
>
> Any help appreciated.
>
> Here's some nslookup info (I'm not familiar with dig yet.)
>
> > server 204.131.50.1
> Default Server: ns1.aspenres.com
> Address: 204.131.50.1
>
> > chart.yahoo.com
> Server: ns1.aspenres.com
> Address: 204.131.50.1
>
> Non-authoritative answer:
> Name: chart.finance.yahoo.akadns.net
> Address: 66.218.71.158
> Aliases: chart.yahoo.com
>
> > server 192.168.x.17
> Default Server: [192.168.x.17]
> Address: 192.168.x.17
>
> > chart.yahoo.com
> Server: [192.168.x.17]
> Address: 192.168.x.17
>
> DNS request timed out.
> timeout was 2 seconds.
> DNS request timed out.
> timeout was 2 seconds.
> *** Request to [192.168.x.17] timed-out
> > set debug
> > set d2
> > chart.yahoo.com
> Server: [192.168.x.17]
> Address: 192.168.x.17
>
> ------------
> SendRequest(), len 33
> HEADER:
> opcode = QUERY, id = 24, rcode = NOERROR
> header flags: query, want recursion
> questions = 1, answers = 0, authority records = 0,
> additional = 0
>
> QUESTIONS:
> chart.yahoo.com, type = A, class = IN
>
> ------------
> DNS request timed out.
> timeout was 2 seconds.
> timeout (2 secs)
> SendRequest failed
> ------------
> SendRequest(), len 33
> HEADER:
> opcode = QUERY, id = 25, rcode = NOERROR
> header flags: query, want recursion
> questions = 1, answers = 0, authority records = 0,
> additional = 0
>
> QUESTIONS:
> chart.yahoo.com, type = A, class = IN
>
> ------------
> DNS request timed out.
> timeout was 2 seconds.
> timeout (2 secs)
> SendRequest failed
> *** Request to [192.168.xx.17] timed-out
> >
>
>
> and my primary's named.conf (logging lines deleted):
>
> options {
> directory "c:\bind";
> pid-file ".\pid.txt";
> named-xfer "bin\named-xfer.exe";
> dump-file "logs\dump.txt";
> memstatistics-file "logs\memstats.txt";
> statistics-file "logs\stats.txt";
> notify yes;
> allow-recursion { 192.168/16; };
> allow-transfer { 192.168/16; };
> allow-query { 127.0.0/24; 192.168/16; };
> listen-on {192.168.x.x;};
> };
>
> zone "." IN {
> type hint;
> file "db.cache.dom";
> };
>
> // $INCLUDE <file> <domain>
> // The following line includes the root-stub zones promoted by
> Newnet.com
>
> INCLUDE "stubs\root-stubs.conf";
>
> zone "0.0.127.IN-ADDR.ARPA" IN {
> type master;
> file "db.127.0.0.dom";
> };
>
> zone "axxxxxx.com" IN {
> type master;
> file "db.axxxxxx.com.dom";
> };
>
> zone "y.168.192.IN-ADDR.ARPA" IN {
> type master;
> file "db.192.168.2.dom";
> };
>
> zone "x.168.192.IN-ADDR.ARPA" IN {
> type master;
> file "db.192.168.50.dom";
> };
>
> Political ideology aside, can the stubs zones from newnet.com be
> causing this problem?
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list