Name Resolve
Stefan Puiu
stefan.puiu at gmail.com
Thu Mar 15 12:53:12 UTC 2007
By the way, check the domain that's causing you trouble with dnsreport.com:
http://www.dnsreport.com/tools/dnsreport.ch?domain=getfreesofts.com
It seems some of the NS entries have CNAMEs in the hostname part.
However, I'm not sure if that can trigger a SERVFAIL from BIND.
On 3/15/07, Wael Shahin <wael.shahin at gmail.com> wrote:
> Thank you again Stefan,
> I've configured our PIX firewall long time back to the defualt value that
> BIND uses for EDNS packets
> and after a while to elemenate the firewall from this mystery I completely
> removed the DNS inspection on the firewall.
> the edns size option is not the issue i believe, and i have also tried it.
> weiredly enough sometimes i get the same error and by issuing the "rndc
> flush" the server starts resolving the troubled domain again.
>
> ----- Original Message -----
> From: "Stefan Puiu" <stefan.puiu at gmail.com>
> To: "Wael Shahin" <wael.shahin at gmail.com>
> Cc: <bind-users at isc.org>
> Sent: Thursday, March 15, 2007 2:13 PM
> Subject: Re: Name Resolve
>
>
> > On 3/15/07, Wael Shahin <wael.shahin at gmail.com> wrote:
> >> Well, the other server is views and it is not complex at all
> >>
> >> options {
> >> directory "/var/named/";
> >> dump-file "/var/named/data/cache_dump.db";
> >> statistics-file "/var/named/data/named_stats.txt";
> >> version "Get Lost";
> >> datasize default;
> >> querylog no;
> >> recursive-clients 30000;
> >> edns-udp-size 512;
> >
> > ^^^^
> > This is one difference that sticks out - it's a workaround for
> > firewalls blocking DNS packets bigger than 512 bytes. If your firewall
> > has that problem and you can't replace or fix it, you can use this as
> > a workaround on your first server, too.
> >
> > IIRC, you can check whether it's your case using dig. Quoting from an
> > older mail by Mark Andrews (you can find it in the list archives -
> > http://marc.info/?l=bind-users&m=110479849321451&w=2):
> >
> >> > You can determine if the firewall is misconfigured if you get
> >> > a response to the first query and not to the second query.
> >> >
> >> > dig soa com +norec @a.root-servers.net
> >> > dig soa com +norec +bufsize=1024 @a.root-servers.net
> >
> >
> >> pid-file "/var/named/named.pid";
> >> /*
> >> * If there is a firewall between you and nameservers you want
> >> * to talk to, you might need to uncomment the query-source
> >> * directive below. Previous versions of BIND always asked
> >> * questions using port 53, but BIND 8.1 uses an unprivileged
> >> * port by default.
> >> */
> >> // query-source address * port 53;
> >> };
> >>
> >>
> >> View 1
> >> acl internal { 192.168.0.0/16; };
> >> view "internal" {
> >> match-clients { internal; };
> >> recursion yes;
> >>
> >>
> >>
> >> >>
> >> >>
> >> >>
> >>
>
>
More information about the bind-users
mailing list