trace ok but cannot get answer
Hans F. Nordhaug
Hans.F.Nordhaug at hiMolde.no
Fri Aug 15 07:04:48 UTC 2008
Just for the record. This is the same behavior that I have reported in
the thread "Recursive queries fail if query source port is not fixed":
http://marc.info/?t=121861329300002
(It's a long thread, but after a while I discover that using trace
works - see http://marc.info/?l=bind-users&m=121871565628576&w=2)
Unluckily, I haven't found a solution yet.
Regards,
Hans
* Kevin Darcy <kcd at chrysler.com> [2008-08-15]:
> From the outside, it looks like 211.148.192.137 has a firewall in front
> of it that blocks all query packets with the RD (Recursion Desired) bit
> set. Non-recursive queries seem to work fine, but recursive queries are
> getting dropped.
>
> A version query shows 9.4.2 (unpatched), so maybe this is an awkward
> attempt to protect themselves against the Kaminsky attack.
>
> If the firewall is doing this to your customer as well, and he/she is
> trying to use 211.148.192.137 as a recursive resolver, that's going to
> be a problem...
>
> - Kevin
>
> Ken Lai wrote:
> > Hi,
> > yesterday one of our customer complain cannot resolve the
> > *www.zaobao.com, *the dns server he used is 211.148.192.137. so i trace
> > it and get:
> > ken at ken-laptop ~ $ dig @211.148.192.137 www.zaobao.com +trace
> >
> > ; <<>> DiG 9.4.2-P1 <<>> @211.148.192.137 www.zaobao.com +trace
> > ; (1 server found)
> > ;; global options: printcmd
> > . 481468 IN NS C.ROOT-SERVERS.NET.
> > . 481468 IN NS A.ROOT-SERVERS.NET.
> > . 481468 IN NS J.ROOT-SERVERS.NET.
> > . 481468 IN NS B.ROOT-SERVERS.NET.
> > . 481468 IN NS G.ROOT-SERVERS.NET.
> > . 481468 IN NS L.ROOT-SERVERS.NET.
> > . 481468 IN NS E.ROOT-SERVERS.NET.
> > . 481468 IN NS M.ROOT-SERVERS.NET.
> > . 481468 IN NS H.ROOT-SERVERS.NET.
> > . 481468 IN NS I.ROOT-SERVERS.NET.
> > . 481468 IN NS D.ROOT-SERVERS.NET.
> > . 481468 IN NS K.ROOT-SERVERS.NET.
> > . 481468 IN NS F.ROOT-SERVERS.NET.
> > ;; Received 500 bytes from 211.148.192.137#53(211.148.192.137) in 11 ms
> >
> > com. 172800 IN NS B.GTLD-SERVERS.NET.
> > com. 172800 IN NS C.GTLD-SERVERS.NET.
> > com. 172800 IN NS D.GTLD-SERVERS.NET.
> > com. 172800 IN NS E.GTLD-SERVERS.NET.
> > com. 172800 IN NS F.GTLD-SERVERS.NET.
> > com. 172800 IN NS G.GTLD-SERVERS.NET.
> > com. 172800 IN NS H.GTLD-SERVERS.NET.
> > com. 172800 IN NS I.GTLD-SERVERS.NET.
> > com. 172800 IN NS J.GTLD-SERVERS.NET.
> > com. 172800 IN NS K.GTLD-SERVERS.NET.
> > com. 172800 IN NS L.GTLD-SERVERS.NET.
> > com. 172800 IN NS M.GTLD-SERVERS.NET.
> > com. 172800 IN NS A.GTLD-SERVERS.NET.
> > ;; Received 504 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 278 ms
> >
> > zaobao.com. 172800 IN NS ns1.asia1.com.sg.
> > zaobao.com. 172800 IN NS ns2.asia1.com.sg.
> > ;; Received 80 bytes from 192.52.178.30#53(K.GTLD-SERVERS.NET) in 346 ms
> >
> > www.zaobao.com. 360 IN CNAME zaobao.com.edgesuite.net.
> > zaobao.com.edgesuite.net. 9033 IN CNAME a1868.g.akamai.net.
> > g.akamai.net. 289 IN NS n4g.akamai.net.
> > g.akamai.net. 289 IN NS n6g.akamai.net.
> > g.akamai.net. 289 IN NS n2g.akamai.net.
> > g.akamai.net. 289 IN NS n8g.akamai.net.
> > g.akamai.net. 289 IN NS n3g.akamai.net.
> > g.akamai.net. 289 IN NS n5g.akamai.net.
> > g.akamai.net. 289 IN NS n0g.akamai.net.
> > g.akamai.net. 289 IN NS n1g.akamai.net.
> > g.akamai.net. 289 IN NS n7g.akamai.net.
> > ;; Received 405 bytes from 202.27.17.253#53(ns1.asia1.com.sg) in 96 ms
> >
> > but i get this also:
> >
> > ken at ken-laptop ~ $ dig @211.148.192.137 www.zaobao.com
> >
> > ; <<>> DiG 9.4.2-P1 <<>> @211.148.192.137 www.zaobao.com
> > ; (1 server found)
> > ;; global options: printcmd
> > ;; connection timed out; no servers could be reached
> >
> > could anyone guide me, thx
More information about the bind-users
mailing list