DNS problems / unable to reach authoritative server?

Mark Andrews Mark_Andrews at isc.org
Wed Sep 13 22:58:20 UTC 2006 

> Wait, I take that back. It worked for ONE server, which now seems to
> just magically have started working. Even after putting the system back
> to the default mode. The others still cannot resolve phila.gov. And your
> line suggested below
> 
> query-source address * port 8765;
> 
> Just makes my named unhappy and not start.  I tried calling a few people
> in the City of Philly, but got no where. 
> 
> Nick

	Welcome to the world of idiots with firewalls.  Blocking
	incoming traffic based on source port is stupid.  Blocking
	replies to traffic you let in is stupid.  There is a firewall
	in front of the DNS server that is doing one of these two
	things.
 
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Brenckle, Nicholas
> Sent: Wednesday, September 13, 2006 4:59 PM
> To: Greg Chavez
> Cc: bind-users at isc.org
> Subject: RE: DNS problems / unable to reach authoritative server?
> 
> Oddly, what worked for me was to add the line of 
> 
> Query-source address * port 53;
> 
> Which by default was commented out in my package (bind 9.2.4,  or
> bind-9.2.4-16-EL4 since it's a RHEL box)
> 
> This should have no long term effect on anything else should it?
> 
> Thanks for the help.
> 
> -Nick
> 
> -----Original Message-----
> From: Greg Chavez [mailto:greg.chavez at gmail.com] 
> Sent: Wednesday, September 13, 2006 11:19 AM
> To: Brenckle, Nicholas
> Cc: bind-users at isc.org
> Subject: Re: DNS problems / unable to reach authoritative server?
> 
> Yikes.  I gave out bad named.conf syntax.  See my corrections.
> 
> On 9/13/06, Greg Chavez <greg.chavez at gmail.com> wrote:
> > On 9/13/06, Brenckle, Nicholas <NBrenckle at dsl.net> wrote:
> > >
> > > I have a weird DNS problem where some of my DNS servers (customer
> > > resolvers) can see a domain, and some cant. From the ones that can,
> > > everything works fine. From the ones that don't, I get timeouts when
> > > doing a host or a dig, but I can request information from the auth
> DNS
> > > server for that domain without a problem. The question is, where in
> the
> > > chain is it failing to tell the server that doesn't work, where to
> get
> > > the information?
> >
> > phila.gov runs *crazy* old BIND.  I mean version 4 somewhere.  My
> > government outfit had a big problem with it a few months back:
> >
> >
> http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thr
> ead/7770697c13376c84/b1ec9d51c1089a85?lnk=gst&q=phila.gov&rnum=1#b1ec9d5
> 1c1089a85
> >
> > I was remiss and never posted the solution.  But I will do that now.
> >
> > At the time, we were running BIND 9.2.2 (upgrade to 9.3.2-P1 if you
> > haven't already!).  Mail to phila.gov was queuing up on our mail
> > relays because queries to that domain by our DNS forwarders were
> > timing out.  Queries were sent with a source port that, while
> > configured as random, was being deterministically set to 32768
> > (2^15... the max value of a 16-bit number):
> >
> >   query-source address * port 53;
> 
> Correction:
> 
>   query-source address * port *;
> 
> > This by itself is not a problem and in fact is expected, documented
> > BIND behavior; to wit, we had no trouble sending and receiving
> > responses to DNS queries from virtually all other Internet domains our
> > users were hitting.   With little else left in our toolbox, however,
> > we changed this to use a static, unprivileged ports.  After that,
> > phila.gov queries started resolving our queues spilled forth.
> >
> >   query-source address 8765 port 53;
> 
> Correction:
> 
> query-source address * port 8765;
> 
> 
> > Don't know whyfore this worked, but it did.  The true solution of
> > course, would be for phila.gov to enter the 21st century.  Oh well.
> > Hope this helps you.
> >
> > > ---- working one
> > > [nbrenckle at ns1 ~]$ host www.phila.gov
> > > www.phila.gov has address 170.115.249.40
> > > [nbrenckle at ns1 ~]$ dig phila.gov
> > >
> > > ; <<>> DiG 9.2.4 <<>> phila.gov
> > > ;; global options:  printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48731
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;phila.gov.                     IN      A
> > >
> > > ;; ANSWER SECTION:
> > > phila.gov.              18536   IN      A       170.115.249.40
> > >
> > > ;; AUTHORITY SECTION:
> > > phila.gov.              18536   IN      NS      dns2.phila.gov.
> > > phila.gov.              18536   IN      NS      dns.phila.gov.
> > >
> > > ;; Query time: 6 msec
> > > ;; SERVER: 209.87.64.70#53(209.87.64.70)
> > > ;; WHEN: Tue Sep 12 09:47:58 2006
> > > ;; MSG SIZE  rcvd: 80
> > >
> > > [nbrenckle at ns1 ~]$
> > >
> > > ---- not working one (but see last info  - 170.115.249.10 is the ip
> of
> > > dns2.phila.gov from the above dig)
> > >
> > > [nbrenckle at dnsr01 ~]$ host www.phila.gov
> > > ;; connection timed out; no servers could be reached
> > > [nbrenckle at dnsr01 ~]$ dig phila.gov
> > >
> > > ; <<>> DiG 9.2.4 <<>> phila.gov
> > > ;; global options:  printcmd
> > > ;; connection timed out; no servers could be reached
> > > [nbrenckle at dnsr01 ~]$ host www.phila.gov 170.115.249.10
> > > Using domain server:
> > > Name: 170.115.249.10
> > > Address: 170.115.249.10#53
> > > Aliases:
> > >
> > > www.phila.gov has address 170.115.249.40
> > > [nbrenckle at dnsr01 ~]$
> > >
> > >
> > >
> > >
> >
> 
> 
> -- 
> --Greg Chavez
> --
> 
> 
> 
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list