Problem resolving a domain on my cache server. (part II)

Fabiano Silos Reis fsilos at ig.com
Thu Mar 24 12:44:51 UTC 2005 

Hi Mark,

Your point looks interesting. I have a question here: When do exactly
named sends EDNS queries? Once in a while? If yes, in what situations
EDNS queries are executed?
=20
I ask this because sometimes my cache server starts not answering
queries for www.redecard.com.br and that persists for more than 60
seconds. Last time it happened I had to restart named. After restart it
starts resolving again.

Thanks in advance,

Fabiano

-----Original Message-----
From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org]=20
Sent: Wednesday, March 23, 2005 7:56 PM
Cc: Fabiano Silos Reis; bind-users at isc.org
Subject: Re: Problem resolving a domain on my cache server. (part II)=20


>=20
> > Hi Mark,
> >=20
> > I know what you mean. The problem is that my cache server keeps
> > resolving for a while but somehow from time to times this host
> > (www.redecard.com.br) cannot be resolved by my cache server (my
server
> > answer with timeout responses). But when this host cannot be
resolved by
> > my cache server I setup a script that dig this host directly from
their
> > two ns
> >=20
> > dig -b mycacheserver_ip_address#the_same_src_port_namded_is_using
> > www.redecard.com.br @200.211.224.110
> > dig -b mycacheserver_ip_address#the_same_src_port_namded_is_using
> > www.redecard.com.br @200.211.224.111
> >=20
> > I get positive answers. So I suppose it is not communication fault
or
> > their fault.
> >=20
> > Don't you think my cache server daemon may be losing something when
it
> > tries to resolve this specific host?
> > =3D20
> > Thanks in advance,
> >=20
> > Fabiano
>=20
> 	It looks like they are running the Microsoft Windows 2000
> 	nameserver version which has a dead timer after they get a
> 	EDNS query.  It returns a FORMERR then doesn't respond to
> 	EDNS queries from the same IP address for 60 seconds.
>=20
> 	This really hurts when there are multiple nameservers behind
> 	a NAT (as they all appear to come from the same address)
> 	but can also hurt a non NAT'd nameserver if the timing is
> 	right.
> =20
> 	http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;837928
>=20
> 	Bcc'd postmaster at credicard.com.br so they fix their nameserver.
>=20
> 	Perform the following two queries.  The first will be
> 	responded to.  The second (and subsequent queries) will be
> 	dropped.
>=20
> 	dig +bufsize=3D512 www.redecard.com.br @200.211.224.111
> 	dig +bufsize=3D512 www.redecard.com.br @200.211.224.111
>=20
> 	Mark

	I ment to add you can use a server clause to disable the use
	of EDNS with these servers until they fix them.

	e.g.
		server 200.211.224.111 {
			edns no;
		};

	Mark

> > -----Original Message-----
> > From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org]=3D20
> > Sent: Tuesday, March 22, 2005 6:08 PM
> > To: Fabiano Silos Reis
> > Cc: bind-users at isc.org
> > Subject: Re: Problem resolving a domain on my cache server. (part
II)=3D20
> >=20
> >=20
> > >=3D20
> > > Hi list,
> > >=3D20
> > > Some months ago I asked here about a domain I can=3D3DB4t resolve =
on
my =3D
> > =3D3D
> > > cache server because of a firewall on the dns that hosts this
domain =3D
> > =3D3D
> > > (they were blocking everyone doing queries using source udp port
> > bellow =3D3D
> > > 53). Today I will ask again about one domain I can=3D3DB4t resolve
on my =3D
> > =3D3D
> > > cache server.=3D3D20
> > >=3D20
> > > To make sure the problem is not firewall issue again I tested it
using
> > =3D3D
> > > DIG and setting the source ip/port exactly to what named process
is =3D
> > =3D3D
> > > using to make queries. I receive answer without problems.
> > >=3D20
> > > Actually I have problem to resolve just one hostname -> =3D3D
> > > www.redecard.com.br. When I startup my cache server process and
make
> > one =3D3D
> > > query to it I receive the answer from my server. But after some
time =3D
> > =3D3D
> > > running (and memory cache getting bigger) only this domain stops
=3D3D
> > > working. I=3D3DB4m not owner of domain redecard.com.br but the
problem =3D
> > is
> > =3D3D
> > > some of my cache clients are complaining that they could not
resolve =3D
> > =3D3D
> > > this domain using my cache server. I couldn't understand why and
how =3D
> > =3D3D
> > > this is happening. I tried some things trying to fix it. Doing
rndc =3D
> > =3D3D
> > > flusname for some times I can resolve this domain but some times
rndc
> > =3D3D
> > > flushname makes no difference.
> > >=3D20
> > > Do someone have a clue on how to trace this kind of problem? Is
the =3D
> > =3D3D
> > > problem my cache or the problem is on a mistake at redecard.com.br
dns
> > =3D3D
> > > servers?
> > >=3D20
> > > Bellow I will paste my named configure line, version and
named.conf. I
> > =3D3D
> > > would appreciate any help on this.=3D3D20
> > >=3D20
> > > Thanks
> > >=3D20
> > > Fabiano
> >=20
> > 	Well they don't have a robust nameserver setup.  There
> > 	are plenty of opportunities for single point failures to
> > 	make both nameservers unreachable when using consecutive
> > 	addresses.
> >=20
> > 	Any routing problems will affect both servers simultaneously
> > 	(same AS path).
> >=20
> > 	Highly likely that there are common power failure points that
> > 	will make both servers unreachable.
> >=20
> > 	Mark
> >=20
> > ; <<>> DiG 8.3 <<>> redecard.com.br ns=3D20
> > ;; res options: init recurs defnam dnsrch
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29000
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
> > ;; QUERY SECTION:
> > ;;	redecard.com.br, type =3D3D NS, class =3D3D IN
> >=20
> > ;; ANSWER SECTION:
> > redecard.com.br.	59m49s IN NS	canopus1.credicard.com.br.
> > redecard.com.br.	59m49s IN NS	regulus1.credicard.com.br.
> >=20
> > ;; ADDITIONAL SECTION:
> > canopus1.credicard.com.br.  52m28s IN A  200.211.224.111
> > regulus1.credicard.com.br.  52m29s IN A  200.211.224.110
> >=20
> > ;; Total query time: 0 msec
> > ;; FROM: drugs.dv.isc.org to SERVER: 127.0.0.1
> > ;; WHEN: Wed Mar 23 08:02:52 2005
> > ;; MSG SIZE  sent: 33  rcvd: 121
> >=20
> >=20
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET:
Mark_Andrews at isc.org
> >=20
> >=20
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list