First nslookup/query from Windows clients always fails (Bind9)

Mark Andrews Mark_Andrews at isc.org
Tue Mar 7 23:01:54 UTC 2006 

> This is Microsoft's fault. You are using Microsoft's nslookup which 
> has the side effect of appending your domain name to every lookup 
> first. In many setups this will cause the lookup to timeout.

	Which also makes it not RFC 1535 compliant.

Network Working Group                                          E. Gavron
Request for Comments: 1535                            ACES Research Inc.
Category: Informational                                     October 1993


              A Security Problem and Proposed Correction
                   With Widely Deployed DNS Software


> In your example below, you are asking nslookup to resolve 
> www.cartoonnetwork.com but in reality it is first trying 
> www.cartoonnetwork.com.services.domain.com instead (or whatever the 
> rest of your FQDN is).
> 
> Suggestions:
> 
> 1. Use dig
> 
> 2. If you want to use Microsoft's nslookup, append your query with a 
> period so it knows not to append your domain name to the query.
> 
> 3. I think you can also get the Windows binary version of nslookup 
> from ISC's win32 binary package of BIND as well (same place you get 
> dig). This doesn't exhibit that behavior. I would still recommend 
> learning dig though. It's much better.
> 
> At 12:19 PM 3/7/2006, aweaver at ee.net wrote:
> >I've setup two identical machines for the purpose of simple resolution
> >for hosts on my network. For whatever reason Windows clients always
> >fail to resolve domains on the first try every attempt, here is an
> >example of this behaviour:
> >
> >C:\Documents and Settings\aweaver.THENAP.000>nslookup
> >www.cartoonnetwork.com
> >Server:  resolver2.services.domain.com
> >Address:  192.168.123.3
> >
> >DNS request timed out.
> >     timeout was 2 seconds.
> >*** Request to resolver2.services.domain.com timed-out
> >
> >C:\Documents and Settings\aweaver.THENAP.000>nslookup
> >www.cartoonnetwork.com
> >Server:  resolver2.services.domain.com
> >Address:  192.168.123.3
> >
> >Non-authoritative answer:
> >Name:    cartoonnetwork.com
> >Addresses:  64.236.29.72, 64.236.22.72
> >Aliases:  www.cartoonnetwork.com
> >
> >On linux:
> >
> >[root at linuxweb ~]# nslookup cartoonnetwork.com
> >Server:         192.168.123.3
> >Address:        192.168.123.3#53
> >
> >Non-authoritative answer:
> >Name:   cartoonnetwork.com
> >Address: 64.236.22.72
> >Name:   cartoonnetwork.com
> >Address: 64.236.29.72
> >
> >Here is my configuration file that I am using on 192.168.123.2 and
> >192.168.123.3:
> >
> >options {
> >         directory "/var/named";
> >         dump-file "/var/named/data/cache_dump.db";
> >         statistics-file "/var/named/data/named_stats.txt";
> >         /*
> >          * If there is a firewall between you and nameservers you want
> >          * to talk to, you might need to uncomment the query-source
> >          * directive below.  Previous versions of BIND always asked
> >          * questions using port 53, but BIND 8.1 uses an unprivileged
> >          * port by default.
> >          */
> >          // query-source address * port 53;
> >};
> >
> >//
> >// a caching only nameserver config
> >//
> >controls {
> >         inet 127.0.0.1 allow {
> >                 10.1.1.0/24;
> >                 192.168.123.0/24;
> >                 172.0.1.0/24;
> >                 localhost;
> >                         }
> >keys { rndckey; };
> >
> >};
> >zone "." IN {
> >         type hint;
> >         file "named.ca";
> >};
> >
> >zone "localdomain" IN {
> >         type master;
> >         file "localdomain.zone";
> >         allow-update { none; };
> >};
> >
> >zone "localhost" IN {
> >         type master;
> >         file "localhost.zone";
> >         allow-update { none; };
> >};
> >
> >zone "0.0.127.in-addr.arpa" IN {
> >         type master;
> >         file "named.local";
> >         allow-update { none; };
> >};
> >
> >zone
> >"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> >IN
> >  {
> >         type master;
> >         file "named.ip6.local";
> >         allow-update { none; };
> >};
> >
> >zone "255.in-addr.arpa" IN {
> >         type master;
> >         file "named.broadcast";
> >         allow-update { none; };
> >};
> >
> >zone "0.in-addr.arpa" IN {
> >         type master;
> >         file "named.zero";
> >         allow-update { none; };
> >};
> >
> >include "/etc/rndc.key";
> >
> >If anyone has a moment to try and tell me what I am doing wrong I would
> >appreciate it so much; I am more used to bind 8 as we have been using
> >it for years.
> >
> >There are no relevant lines in the log file either.
> >
> >Thanks,
> >-Drew
> 
> 
> Vinny Abello
> Network Engineer
> Server Management
> vinny at tellurian.com
> (973)300-9211 x 125
> (973)940-6125 (Direct)
> PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A
> 
> Tellurian Networks - The Ultimate Internet Connection
> http://www.tellurian.com (888)TELLURIAN
> 
> "Courage is resistance to fear, mastery of fear - not absence of 
> fear" -- Mark Twain
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list