Strange name resolution problem

Mark Andrews Mark_Andrews at isc.org
Sat Feb 3 22:55:25 UTC 2007 

> We are using bind 9.3, for the most part it's working perfectly. But
> it can't resolve some sites. "dig +trace hostname @ns" returns the
> answer but "dig hostname @ns" always times out. I simply could not
> figure out the problem.

	They don't know how to configure a firewall.  There firewall
	is blocking queries from port 53.   Given that a standard
	nameserver configuration is to source traffic from port 53
	(works well with stateless firewalls), there must be lots of
	clients that can't get answers from them.

	The first three queries were source from port 53.  The next
	query used port 1025 and it got a response.  To demonstate
	that this is not a local problem.  I queried a root server
	using a source port of 53 and got a response.

	Mark

bsdi# tcpdump -n -p -i sis0 port 53
tcpdump: listening on sis0
09:51:47.267711 220.239.253.18.53 > 195.221.139.126.53:  47096 A? www.fiatifta.org. (34)
09:51:52.280717 220.239.253.18.53 > 195.221.139.126.53:  47096 A? www.fiatifta.org. (34)
09:51:57.296616 220.239.253.18.53 > 195.221.139.126.53:  47096 A? www.fiatifta.org. (34)
09:52:13.676934 220.239.253.18.54968 > 195.221.139.126.53:  63640 A? www.fiatifta.org. (34)
09:52:14.001396 195.221.139.126.53 > 220.239.253.18.54968:  63640* 2/2/2 A 195.221.139.21, (142)
09:52:32.518687 220.239.253.18.53 > 198.41.0.4.53:  19632 A? www.fiatifta.org. (34)
09:52:32.760340 198.41.0.4.53 > 220.239.253.18.53:  19632- 0/6/8 (348) (DF)


> 
> This lookup fails
> =======
> $ dig www.fiatifta.org @cache01
> 
> ; <<>> DiG 9.2.3 <<>> www.fiatifta.org @cache01
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> 
> This lookup works
> =============
>  $dig +trace www.fiatifta.org @cache01
> 
> ; <<>> DiG 9.2.3 <<>> +trace www.fiatifta.org @cache01
> ;; global options:  printcmd
> .                       320489  IN      NS      M.ROOT-NET.
> 
> OUTPUT TRIMMED
> 
> fiatifta.org.           86400   IN      NS      nsr1.ina.fr.
> fiatifta.org.           86400   IN      NS      nsr0.ina.fr.
> ;; Received 78 bytes from 204.74.113.1#53
> 
> (TLD2.ULTRADNS.NET) in 98 ms
> 
> www.fiatifta.org.       86400   IN      A       195.221.139.20
> www.fiatifta.org.       86400   IN      A       195.221.139.21
> fiatifta.org.           86400   IN      NS      nsr1.ina.fr.
> fiatifta.org.           86400   IN      NS      nsr0.ina.fr.
> ;; Received 142 bytes from 195.221.139.126#53(nsr1.ina.fr) in 213 ms
> 
> Thanks
> Bhaskar
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list