First nslookup/query from Windows clients always fails (Bind9)
Mark Andrews
Mark_Andrews at isc.org
Tue Mar 7 23:01:54 UTC 2006
> This is Microsoft's fault. You are using Microsoft's nslookup which
> has the side effect of appending your domain name to every lookup
> first. In many setups this will cause the lookup to timeout.
Which also makes it not RFC 1535 compliant.
Network Working Group E. Gavron
Request for Comments: 1535 ACES Research Inc.
Category: Informational October 1993
A Security Problem and Proposed Correction
With Widely Deployed DNS Software
> In your example below, you are asking nslookup to resolve
> www.cartoonnetwork.com but in reality it is first trying
> www.cartoonnetwork.com.services.domain.com instead (or whatever the
> rest of your FQDN is).
>
> Suggestions:
>
> 1. Use dig
>
> 2. If you want to use Microsoft's nslookup, append your query with a
> period so it knows not to append your domain name to the query.
>
> 3. I think you can also get the Windows binary version of nslookup
> from ISC's win32 binary package of BIND as well (same place you get
> dig). This doesn't exhibit that behavior. I would still recommend
> learning dig though. It's much better.
>
> At 12:19 PM 3/7/2006, aweaver at ee.net wrote:
> >I've setup two identical machines for the purpose of simple resolution
> >for hosts on my network. For whatever reason Windows clients always
> >fail to resolve domains on the first try every attempt, here is an
> >example of this behaviour:
> >
> >C:\Documents and Settings\aweaver.THENAP.000>nslookup
> >www.cartoonnetwork.com
> >Server: resolver2.services.domain.com
> >Address: 192.168.123.3
> >
> >DNS request timed out.
> > timeout was 2 seconds.
> >*** Request to resolver2.services.domain.com timed-out
> >
> >C:\Documents and Settings\aweaver.THENAP.000>nslookup
> >www.cartoonnetwork.com
> >Server: resolver2.services.domain.com
> >Address: 192.168.123.3
> >
> >Non-authoritative answer:
> >Name: cartoonnetwork.com
> >Addresses: 64.236.29.72, 64.236.22.72
> >Aliases: www.cartoonnetwork.com
> >
> >On linux:
> >
> >[root at linuxweb ~]# nslookup cartoonnetwork.com
> >Server: 192.168.123.3
> >Address: 192.168.123.3#53
> >
> >Non-authoritative answer:
> >Name: cartoonnetwork.com
> >Address: 64.236.22.72
> >Name: cartoonnetwork.com
> >Address: 64.236.29.72
> >
> >Here is my configuration file that I am using on 192.168.123.2 and
> >192.168.123.3:
> >
> >options {
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > /*
> > * If there is a firewall between you and nameservers you want
> > * to talk to, you might need to uncomment the query-source
> > * directive below. Previous versions of BIND always asked
> > * questions using port 53, but BIND 8.1 uses an unprivileged
> > * port by default.
> > */
> > // query-source address * port 53;
> >};
> >
> >//
> >// a caching only nameserver config
> >//
> >controls {
> > inet 127.0.0.1 allow {
> > 10.1.1.0/24;
> > 192.168.123.0/24;
> > 172.0.1.0/24;
> > localhost;
> > }
> >keys { rndckey; };
> >
> >};
> >zone "." IN {
> > type hint;
> > file "named.ca";
> >};
> >
> >zone "localdomain" IN {
> > type master;
> > file "localdomain.zone";
> > allow-update { none; };
> >};
> >
> >zone "localhost" IN {
> > type master;
> > file "localhost.zone";
> > allow-update { none; };
> >};
> >
> >zone "0.0.127.in-addr.arpa" IN {
> > type master;
> > file "named.local";
> > allow-update { none; };
> >};
> >
> >zone
> >"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> >IN
> > {
> > type master;
> > file "named.ip6.local";
> > allow-update { none; };
> >};
> >
> >zone "255.in-addr.arpa" IN {
> > type master;
> > file "named.broadcast";
> > allow-update { none; };
> >};
> >
> >zone "0.in-addr.arpa" IN {
> > type master;
> > file "named.zero";
> > allow-update { none; };
> >};
> >
> >include "/etc/rndc.key";
> >
> >If anyone has a moment to try and tell me what I am doing wrong I would
> >appreciate it so much; I am more used to bind 8 as we have been using
> >it for years.
> >
> >There are no relevant lines in the log file either.
> >
> >Thanks,
> >-Drew
>
>
> Vinny Abello
> Network Engineer
> Server Management
> vinny at tellurian.com
> (973)300-9211 x 125
> (973)940-6125 (Direct)
> PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
>
> Tellurian Networks - The Ultimate Internet Connection
> http://www.tellurian.com (888)TELLURIAN
>
> "Courage is resistance to fear, mastery of fear - not absence of
> fear" -- Mark Twain
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list