Recursive queries fail if query source port is not fixed

Hans F. Nordhaug Hans.F.Nordhaug at hiMolde.no
Thu Aug 14 12:05:21 UTC 2008 

* Andrey G. Sergeev (AKA Andris) <andris at aernet.ru> [2008-08-14]:
> Hello Hans,
[cut]
> Assuming that your name servers aren't authoritative for the, say, 
> yandex.ru, ku.dk and asahi.co.jp zones, please post here the results of 
> doing at least one command suggested below without the query-source 
> directive specified in your named.conf.
> 
> dig images.yandex.ru. a +tra
[cut]

Thx for replying. I did a query for the a record of images.yandex.ru
with and without the trace. With trace, I get a reply - without trace,
I don't (see below). (Well, I do - put after 3-4 repeated queries.) 
I really don't get it.

If I should guess, it must be dig sending the queries differently when
tracing.  If it is the firewall (Cisco ASA 5510) being overwhelmed, I
don't know where to look - I have tried... 

-----

; <<>> DiG 9.3.4-P1 <<>> @g4.tibe.no images.yandex.ru. a +tra
; (1 server found)
;; global options:  printcmd
.                       518289  IN      NS      L.ROOT-SERVERS.NET.
.                       518289  IN      NS      M.ROOT-SERVERS.NET.
.                       518289  IN      NS      A.ROOT-SERVERS.NET.
.                       518289  IN      NS      B.ROOT-SERVERS.NET.
.                       518289  IN      NS      C.ROOT-SERVERS.NET.
.                       518289  IN      NS      D.ROOT-SERVERS.NET.
.                       518289  IN      NS      E.ROOT-SERVERS.NET.
.                       518289  IN      NS      F.ROOT-SERVERS.NET.
.                       518289  IN      NS      G.ROOT-SERVERS.NET.
.                       518289  IN      NS      H.ROOT-SERVERS.NET.
.                       518289  IN      NS      I.ROOT-SERVERS.NET.
.                       518289  IN      NS      J.ROOT-SERVERS.NET.
.                       518289  IN      NS      K.ROOT-SERVERS.NET.
;; Received 500 bytes from 213.161.248.67#53(213.161.248.67) in 1 ms

ru.                     172800  IN      NS      ns.ripn.net.
ru.                     172800  IN      NS      ns2.nic.fr.
ru.                     172800  IN      NS      ns2.ripn.net.
ru.                     172800  IN      NS      ns5.msk-ix.net.
ru.                     172800  IN      NS      ns9.ripn.net.
ru.                     172800  IN      NS      sunic.sunet.se.
ru.                     172800  IN      NS      auth60.ns.uu.net.
;; Received 311 bytes from 199.7.83.42#53(L.ROOT-SERVERS.NET) in 143 ms

yandex.ru.              345600  IN      NS      ns1.yandex.ru.
yandex.ru.              345600  IN      NS      ns2.yandex.ru.
yandex.ru.              345600  IN      NS      ns4.yandex.ru.
yandex.ru.              345600  IN      NS      ns5.yandex.ru.
;; Received 170 bytes from 194.85.105.17#53(ns.ripn.net) in 92 ms

images.yandex.ru.       10800   IN      A       77.88.21.11
images.yandex.ru.       10800   IN      A       87.250.251.11
images.yandex.ru.       10800   IN      A       213.180.204.11
yandex.ru.              345600  IN      NS      ns5.yandex.ru.
yandex.ru.              345600  IN      NS      ns1.yandex.ru.
yandex.ru.              345600  IN      NS      ns2.yandex.ru.
yandex.ru.              345600  IN      NS      ns4.yandex.ru.
;; Received 218 bytes from 213.180.193.1#53(ns1.yandex.ru) in 48 ms

-----

; <<>> DiG 9.3.4-P1 <<>> @g4.tibe.no images.yandex.ru. a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42214
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;images.yandex.ru.              IN      A

;; Query time: 1 msec
;; SERVER: 213.161.248.67#53(213.161.248.67)
;; WHEN: Thu Aug 14 13:57:13 2008
;; MSG SIZE  rcvd: 34

-----

Hans

More information about the bind-users mailing list