Name Resolve

Stefan Puiu stefan.puiu at gmail.com
Thu Mar 15 12:53:12 UTC 2007 

By the way, check the domain that's causing you trouble with dnsreport.com:

http://www.dnsreport.com/tools/dnsreport.ch?domain=getfreesofts.com

It seems some of the NS entries have CNAMEs in the hostname part.
However, I'm not sure if that can trigger a SERVFAIL from BIND.

On 3/15/07, Wael Shahin <wael.shahin at gmail.com> wrote:
> Thank you again Stefan,
> I've configured our PIX firewall long time back to the defualt value that
> BIND uses for EDNS packets
> and after a while to elemenate the firewall from this mystery I completely
> removed the DNS inspection on the firewall.
> the edns size option is not the issue i believe, and i have also tried it.
> weiredly enough sometimes i get the same error and by issuing the "rndc
> flush" the server starts resolving the troubled domain again.
>
> ----- Original Message -----
> From: "Stefan Puiu" <stefan.puiu at gmail.com>
> To: "Wael Shahin" <wael.shahin at gmail.com>
> Cc: <bind-users at isc.org>
> Sent: Thursday, March 15, 2007 2:13 PM
> Subject: Re: Name Resolve
>
>
> > On 3/15/07, Wael Shahin <wael.shahin at gmail.com> wrote:
> >> Well, the other server is views and it is not complex at all
> >>
> >> options {
> >>         directory "/var/named/";
> >>         dump-file "/var/named/data/cache_dump.db";
> >>         statistics-file "/var/named/data/named_stats.txt";
> >>         version "Get Lost";
> >>         datasize default;
> >>         querylog no;
> >>         recursive-clients 30000;
> >>         edns-udp-size 512;
> >
> >           ^^^^
> > This is one difference that sticks out - it's a workaround for
> > firewalls blocking DNS packets bigger than 512 bytes. If your firewall
> > has that problem and you can't replace or fix it, you can use this as
> > a workaround on your first server, too.
> >
> > IIRC, you can check whether it's your case using dig. Quoting from an
> > older mail by Mark Andrews (you can find it in the list archives -
> > http://marc.info/?l=bind-users&m=110479849321451&w=2):
> >
> >> > You can determine if the firewall is misconfigured if you get
> >> > a response to the first query and not to the second query.
> >> >
> >> > dig soa com +norec @a.root-servers.net
> >> > dig soa com +norec +bufsize=1024 @a.root-servers.net
> >
> >
> >>         pid-file "/var/named/named.pid";
> >>         /*
> >>          * If there is a firewall between you and nameservers you want
> >>          * to talk to, you might need to uncomment the query-source
> >>          * directive below.  Previous versions of BIND always asked
> >>          * questions using port 53, but BIND 8.1 uses an unprivileged
> >>          * port by default.
> >>          */
> >>          // query-source address * port 53;
> >> };
> >>
> >>
> >> View 1
> >> acl internal { 192.168.0.0/16; };
> >> view "internal" {
> >>         match-clients { internal; };
> >>         recursion yes;
> >>
> >>
> >>
> >> >>
> >> >>
> >> >>
> >>
>
>

More information about the bind-users mailing list