Unavailable Domains?
Mark Andrews
Mark_Andrews at isc.org
Fri Nov 14 14:01:31 UTC 2008
In message <1226654628.8420.23.camel at pcbvd.liv.ac.uk>, "Dean, Barry" writes:
> I have 3 domain names that I cannot resolve recursively from my DNS
> servers. The problem exists inside my institution and not from outside.
> I can resolve what I need just fine from a Broadband connection.
> One domain is bjmu.edu.cn, I cannot resolve the MX records (or any
> others for that matter). If I use "dig +norecurse ... ns" and start by
> looking up ".", then "cn.", then "edu.cn." etc using "@server" and
> trying each and every server at each level, it works.
There is a firewall sitting in front of the servers for
bjmu.edu.cn that is blocking traffic from port 53.
Now your nameserver is most probably configured to use
port 53 for out going queries. You should remove that
configuration setting and also ensure you are running
a named version that randomises the source port of the
UDP queries.
# tcpdump -n -p -i sis0 port 53
tcpdump: listening on sis0
00:47:27.635123 211.30.172.21.53 > 202.112.176.3.53: 56874 A? bjmu.edu.cn. (29)
00:47:32.659537 211.30.172.21.53 > 202.112.176.3.53: 56874 A? bjmu.edu.cn. (29)
00:47:37.686114 211.30.172.21.53 > 202.112.176.3.53: 56874 A? bjmu.edu.cn. (29)
00:47:46.250371 211.30.172.21.54528 > 202.112.176.3.53: 18927 A? bjmu.edu.cn. (29)
00:47:46.668713 202.112.176.3.53 > 211.30.172.21.54528: 18927*- 0/1/0 (75) (DF)
00:48:38.725516 211.30.172.21.53764 > 202.112.176.2.53: 63872 A? bjmu.edu.cn. (29)
00:48:39.167496 202.112.176.2.53 > 211.30.172.21.53764: 63872 ServFail- 0/0/0 (29) (DF)
00:48:56.318131 211.30.172.21.53 > 202.112.176.2.53: 14156 A? bjmu.edu.cn. (29)
00:49:01.343112 211.30.172.21.53 > 202.112.176.2.53: 14156 A? bjmu.edu.cn. (29)
00:49:06.371612 211.30.172.21.53 > 202.112.176.2.53: 14156 A? bjmu.edu.cn. (29
> I also have a problem with iop.kcl.ac.uk, again non-recursive queries
> all along the chain work a treat, but as soon as you do "dig
> iop.kcl.ac.uk" you get ";; connection timed out; no servers could be
> reached" like the one above.
Same thing here.
00:53:47.680993 211.30.172.21.62348 > 194.83.138.2.53: 54217 [1au] A? dns2.iop.kcl.ac.uk. (47)
00:53:47.990109 194.83.138.2.53 > 211.30.172.21.62348: 54217*- 1/0/1 A 194.83.138.2 (63) (DF)
00:53:48.001195 211.30.172.21.61567 > 194.83.138.2.53: 37740 [1au] AAAA? dns2.iop.kcl.ac.uk. (47)
00:53:48.309182 194.83.138.2.53 > 211.30.172.21.61567: 37740*- 0/1/1 (99) (DF)
00:53:48.320233 211.30.172.21.53 > 194.83.138.2.53: 45872 A? iop.kcl.ac.uk. (31)
00:53:53.351184 211.30.172.21.53 > 194.83.138.2.53: 45872 A? iop.kcl.ac.uk. (31)
00:53:58.379721 211.30.172.21.53 > 194.83.138.2.53: 45872 A? iop.kcl.ac.uk. (31)
> Finally I have an issue with ads.ahds.ac.uk, same error ";; connection
> timed out; no servers could be reached".
>
> This last one is complicated by the fact that just one of my DNS
> servers, the outward facing dns0.liv.ac.uk is a slave for this one, so
> it *can* resolve names in that domain.
>
> I have contacted the hostmasters at the various places that master these
> domains and they all confirm that they are working fine.
I suggest that you re-contact them and tell them that they
really need to fix their firewalls. There will still be
a lot of sites like yours that send queries from port 53.
Filtering on source port is a stupid idea.
Mark
> I have tried debug mode and query logging on a recursive name server and
> get no useful clues, I just see the query and the fact that it times
> out.
>
> I have tried "+trace" on dig and that causes the queries to work!
>
> I am completely stumped...
>
> Is it my servers? If so what do I have to do to them?
>
> Any clues would be welcomed as I am going out of my tree with this!
>
> --
> Barry Dean
> Network Programmer
> Computing Services Department
> University of Liverpool
> Email: B.Dean <at> liverpool.ac.uk, Web: http://pcwww.liv.ac.uk/~bvd/
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list