BIND can't resolve with unreachable second NS
Mark Andrews
Mark_Andrews at isc.org
Thu May 8 22:30:26 UTC 2008
Idiot with firewall.
drugs# dig www.childcaremanager.com +norec @ns1.ccmturbo.com -b 0.0.0.0#53
; <<>> DiG 9.3.4-P1 <<>> www.childcaremanager.com +norec @ns1.ccmturbo.com -b 0.0.0.0#53
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
drugs# dig www.childcaremanager.com +norec @ns1.ccmturbo.com
; <<>> DiG 9.3.4-P1 <<>> www.childcaremanager.com +norec @ns1.ccmturbo.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30063
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.childcaremanager.com. IN A
;; ANSWER SECTION:
www.childcaremanager.com. 0 IN CNAME childcaremanager.com.
childcaremanager.com. 3600 IN A 69.9.147.35
;; Query time: 213 msec
;; SERVER: 69.9.147.35#53(69.9.147.35)
;; WHEN: Fri May 9 08:29:57 2008
;; MSG SIZE rcvd: 72
drugs#
> A puzzle...
>
> Solaris 10, BIND 9.4.2.
>
> We've been having a problem resolving a web site name.
>
> Trying to resolve www.childcaremanager.com. Turns out that is a CNAME
> to childcaremanager.com.
>
> THAT domain claims to have 2 dns servers:
>
> ns1.ccmturbo.com at 69.9.147.35
> and ns2.ccmturbo.com at 69.9.147.36
>
> But... two interesting things. From a different network I can find
> that childcaremanager.com actually is an A record to the 147.35
> address. AND... the ns2 address does not respond. In fact, if I try
> to ping it from both the other network and here I get:
>
> hobbes% ping 69.9.147.36
> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
> for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
> 36)
> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
> for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
> 36)
> ICMP Time exceeded in transit from unused.mind.net (69.9.134.158)
> for icmp from hobbes.dtcc.edu (138.123.12.101) to unused.mind.net (69.9.147.
> 36)
>
> (and doing a traceroute, I see there's some odd routing loop where it bangs
> around two different addresses near it until the TTL expires. Again, from
> both networks.)
>
> But for ns1 I get:
>
> Chobbes% ping 69.9.147.35
> 69.9.147.35 is alive
>
> And... the upshot is, any nslookups I try seem to blackhole. For
> whatever reason all of our nameservers seem to get hung up if that
> second ns isn't working. Cause if I do a lookup directly via ns1 I can
> get an answer:
>
> ; <<>> DiG 9.2.8-P1 <<>> @ns1.ccmturbo.com. www.childcaremanager.com. any
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 910
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;www.childcaremanager.com. IN ANY
>
> ;; ANSWER SECTION:
> www.childcaremanager.com. 0 IN CNAME childcaremanager.com.
>
> ;; ADDITIONAL SECTION:
> childcaremanager.com. 3600 IN A 69.9.147.35
>
> ;; Query time: 104 msec
> ;; SERVER: 69.9.147.35#53(69.9.147.35)
> ;; WHEN: Mon May 5 09:52:54 2008
> ;; MSG SIZE rcvd: 72
>
> Ideas? Why do nameservers on another network (also BIND of various
> semi-recent vintage) seem to be able to resolve this but mine seem to
> blackhole on it? We're running BIND 9.4.2 and some 9.2.8-P1 on unix
> (solaris 10 and 9) here. I've googled, search Sun and sunmanagers and
> come up empty.
>
> I did find one reference from back when Solaris ran 4.x BIND about the
> resolver only looking at one NS it got back but that was claimed to be
> solved by using 'modern' sources.... Which one would think these are...
>
> ???
>
> Tnx,
>
> Bob
>
> --
> ---------------------------------------------------------------------_------
> |Bob Rahe, MIEEE, bob at dtcc.edu (RWR50) / ASCII ribbon campaign ( ) |
> |Delaware Technical & Community College / - against HTML email X |
> |Computer Center, Dover, Delaware / & vCards / \ |
> ----------------------------------------------------------------------------
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list