Caching only nameserver fails to resolve external zones periodically

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon May 17 18:07:17 UTC 2004 

Curtis Rempel <curtis at telus.net> wrote:
> Hi,

> I've got a caching name server which also handles a zone (.lan) on an
> internal 192.168.1.0/24 network.   Both internal and external lookups work
> fine as I have a forwarder entry defined in 
> /var/named/chroot/etc/named.conf

> That is, until "something" happens which causes the external lookups to
> fail.  The internal zone resolution still works, however, it seems as far
> as I can tell, that the forwarder entry does not respond and then it
> starts crawling through the root name servers and eventually gives up.

> Here's some sample output (from Fedora Core 1 Linux and bind 9.2.2.P3-9

> When everything is working (i.e. immediately after a 'service named
> restart' command), the following 'host' command works.  However, when
> things aren't working, I get the following output:

> [root at vault root]# host www.telus.net
> ;; connection timed out; no servers could be reached

> This can be rectified by restarting the name server as above, but only for
> awhile (which seems to vary), and then external lookups hang again.  The
> internal zone information can still be resolved.

> When the system is not responding to external zone lookups, a tcpdump
> looks like this with the above 'host' command:

> 15:51:01.996338 vault.lan.33305 > ns7so.cg.shawcable.net.domain:  35946+ [1au] A? www.telus.net. (42) (DF)
> 15:51:03.728476 vault.lan.33305 > f.root-servers.net.domain:  50741 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:06.008121 vault.lan.33305 > 198.41.0.4.domain:  14024 [1au] A? www.telus.net. (42) (DF)
> 15:51:07.747854 vault.lan.33305 > G.ROOT-SERVERS.NET.domain:  52631 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:10.027489 vault.lan.33305 > 128.9.0.107.domain:  65124 [1au] A? www.telus.net. (42) (DF)
> 15:51:11.767237 vault.lan.33305 > 128.63.2.53.domain:  65468 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:14.046919 vault.lan.33305 > 192.33.4.12.domain:  65502 A? www.telus.net. (31) (DF)
> 15:51:15.786573 vault.lan.33305 > 192.36.148.17.domain:  32751 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:18.066210 vault.lan.33305 > d.root-servers.net.domain:  55260 A? www.telus.net. (31) (DF)
> 15:51:19.038994 laser.lan.1024 > vault.lan.domain:  27316 A? fsa.cpsc.ucalgary.ca. (50)
> 15:51:19.805969 vault.lan.33305 > k.root-servers.net.domain:  13778 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:22.085587 vault.lan.33305 > E.ROOT-SERVERS.NET.domain:  3376 A? www.telus.net. (31) (DF)
> 15:51:23.825310 vault.lan.33305 > 202.12.27.33.domain:  1688 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:26.104947 vault.lan.33305 > f.root-servers.net.domain:  844 A? www.telus.net. (31) (DF)
> 15:51:27.844754 vault.lan.33305 > j.root-servers.net.domain:  33190 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:30.124317 vault.lan.33305 > G.ROOT-SERVERS.NET.domain:  49363 A? www.telus.net. (31) (DF)
> 15:51:31.864043 vault.lan.33305 > l.root-servers.net.domain:  18756 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:34.143694 vault.lan.33305 > 128.63.2.53.domain:  4724 A? www.telus.net. (31) (DF)
> 15:51:35.883596 vault.lan.33305 > ns7so.cg.shawcable.net.domain:  2362+ PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:38.163051 vault.lan.33305 > 192.36.148.17.domain:  1181 A? www.telus.net. (31) (DF)
> 15:51:40.902620 vault.lan.33305 > 198.41.0.4.domain:  24263 PTR? 182.181.179.142.in-addr.arpa. (46) (DF)
> 15:51:42.182418 vault.lan.33305 > k.root-servers.net.domain:  22529 A? www.telus.net. (31) (DF)

> The first entry above (15:51:01) indicates that the requested is being
> forwarded to the "forwarders" entry which resolves to
> ns7so.cg.shawcable.net

> When external resolution is working, this is the last entry as
> ns7so.cg.shawcable.net provides the answer.

> In a "hung" lookup, the output is above, first stop is the forwarder entry
> and then the root servers and finally failure.

> Does anybody have any idea why this external name resolution is
> periodically failing like this?  Any suggestions for debugging info?

> It seems that external lookups can function fine for days and then quit,
> sometimes only minutes and then quit.

> Thanks!

> curtis at telus dot net (which the smarter spambots can likely figure out
> anyway...)

I see three issues here :

1/ the zone "telus.net" is badly configured on a number of issues ( where mismatch
between nameservers delegated to and the list of nameservers the servers say),
very short ttl on NS records etc.

2/ you are running a beta-version of bind. Why ? 9.2.3 has been available for
a long time.

3/ you state that you use forwarders. Why ? Failiure of the forwarders might
give the behaviour you observe.



-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list