DNS problems / unable to reach authoritative server?
Mark Andrews
Mark_Andrews at isc.org
Wed Sep 13 22:58:20 UTC 2006
> Wait, I take that back. It worked for ONE server, which now seems to
> just magically have started working. Even after putting the system back
> to the default mode. The others still cannot resolve phila.gov. And your
> line suggested below
>
> query-source address * port 8765;
>
> Just makes my named unhappy and not start. I tried calling a few people
> in the City of Philly, but got no where.
>
> Nick
Welcome to the world of idiots with firewalls. Blocking
incoming traffic based on source port is stupid. Blocking
replies to traffic you let in is stupid. There is a firewall
in front of the DNS server that is doing one of these two
things.
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Brenckle, Nicholas
> Sent: Wednesday, September 13, 2006 4:59 PM
> To: Greg Chavez
> Cc: bind-users at isc.org
> Subject: RE: DNS problems / unable to reach authoritative server?
>
> Oddly, what worked for me was to add the line of
>
> Query-source address * port 53;
>
> Which by default was commented out in my package (bind 9.2.4, or
> bind-9.2.4-16-EL4 since it's a RHEL box)
>
> This should have no long term effect on anything else should it?
>
> Thanks for the help.
>
> -Nick
>
> -----Original Message-----
> From: Greg Chavez [mailto:greg.chavez at gmail.com]
> Sent: Wednesday, September 13, 2006 11:19 AM
> To: Brenckle, Nicholas
> Cc: bind-users at isc.org
> Subject: Re: DNS problems / unable to reach authoritative server?
>
> Yikes. I gave out bad named.conf syntax. See my corrections.
>
> On 9/13/06, Greg Chavez <greg.chavez at gmail.com> wrote:
> > On 9/13/06, Brenckle, Nicholas <NBrenckle at dsl.net> wrote:
> > >
> > > I have a weird DNS problem where some of my DNS servers (customer
> > > resolvers) can see a domain, and some cant. From the ones that can,
> > > everything works fine. From the ones that don't, I get timeouts when
> > > doing a host or a dig, but I can request information from the auth
> DNS
> > > server for that domain without a problem. The question is, where in
> the
> > > chain is it failing to tell the server that doesn't work, where to
> get
> > > the information?
> >
> > phila.gov runs *crazy* old BIND. I mean version 4 somewhere. My
> > government outfit had a big problem with it a few months back:
> >
> >
> http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thr
> ead/7770697c13376c84/b1ec9d51c1089a85?lnk=gst&q=phila.gov&rnum=1#b1ec9d5
> 1c1089a85
> >
> > I was remiss and never posted the solution. But I will do that now.
> >
> > At the time, we were running BIND 9.2.2 (upgrade to 9.3.2-P1 if you
> > haven't already!). Mail to phila.gov was queuing up on our mail
> > relays because queries to that domain by our DNS forwarders were
> > timing out. Queries were sent with a source port that, while
> > configured as random, was being deterministically set to 32768
> > (2^15... the max value of a 16-bit number):
> >
> > query-source address * port 53;
>
> Correction:
>
> query-source address * port *;
>
> > This by itself is not a problem and in fact is expected, documented
> > BIND behavior; to wit, we had no trouble sending and receiving
> > responses to DNS queries from virtually all other Internet domains our
> > users were hitting. With little else left in our toolbox, however,
> > we changed this to use a static, unprivileged ports. After that,
> > phila.gov queries started resolving our queues spilled forth.
> >
> > query-source address 8765 port 53;
>
> Correction:
>
> query-source address * port 8765;
>
>
> > Don't know whyfore this worked, but it did. The true solution of
> > course, would be for phila.gov to enter the 21st century. Oh well.
> > Hope this helps you.
> >
> > > ---- working one
> > > [nbrenckle at ns1 ~]$ host www.phila.gov
> > > www.phila.gov has address 170.115.249.40
> > > [nbrenckle at ns1 ~]$ dig phila.gov
> > >
> > > ; <<>> DiG 9.2.4 <<>> phila.gov
> > > ;; global options: printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48731
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;phila.gov. IN A
> > >
> > > ;; ANSWER SECTION:
> > > phila.gov. 18536 IN A 170.115.249.40
> > >
> > > ;; AUTHORITY SECTION:
> > > phila.gov. 18536 IN NS dns2.phila.gov.
> > > phila.gov. 18536 IN NS dns.phila.gov.
> > >
> > > ;; Query time: 6 msec
> > > ;; SERVER: 209.87.64.70#53(209.87.64.70)
> > > ;; WHEN: Tue Sep 12 09:47:58 2006
> > > ;; MSG SIZE rcvd: 80
> > >
> > > [nbrenckle at ns1 ~]$
> > >
> > > ---- not working one (but see last info - 170.115.249.10 is the ip
> of
> > > dns2.phila.gov from the above dig)
> > >
> > > [nbrenckle at dnsr01 ~]$ host www.phila.gov
> > > ;; connection timed out; no servers could be reached
> > > [nbrenckle at dnsr01 ~]$ dig phila.gov
> > >
> > > ; <<>> DiG 9.2.4 <<>> phila.gov
> > > ;; global options: printcmd
> > > ;; connection timed out; no servers could be reached
> > > [nbrenckle at dnsr01 ~]$ host www.phila.gov 170.115.249.10
> > > Using domain server:
> > > Name: 170.115.249.10
> > > Address: 170.115.249.10#53
> > > Aliases:
> > >
> > > www.phila.gov has address 170.115.249.40
> > > [nbrenckle at dnsr01 ~]$
> > >
> > >
> > >
> > >
> >
>
>
> --
> --Greg Chavez
> --
>
>
>
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list