Two DNS Servers inside a firewall

Mark Andrews Mark_Andrews at isc.org
Fri Sep 5 02:24:19 UTC 2008 

> I don't believe there is a delegation problem:
> 
> ns1/ns2.isp.net  - which hosts isp.net and customers
> dns1/dns2.isp.net - which hosts customers only 
> 
> what do you think?

	Since you haven't given specific examples I won't guess.
	You have enough information to work this out yourself.

	Mark
 
> Mark Andrews wrote:
> >> FORMERR is strange. Generally speaking, you should not be seeing FORMERR 
> >> in queries between 2 different BIND instances.
> >>
> >> It's looking increasingly to me like a bad NAT/PAT device, mangling your 
> >> packets. Maybe it doesn't understand EDNS0 (?) My next step would 
> >> probably be to run a packet trace/capture, although, on the off-chance 
> >> that it's EDNS0-related, you might try turning that off and see if it 
> >> makes a difference.
> >>
> >>                                                                          
> >>    - Kevin
> >>     
> >
> > 	Named logs FORMERR when it receives a unexpected SOA record
> > 	on a response.
> >
> > 	If you delegate to foo.example.net and the nameserver has
> > 	their own copy of example.net rather than foo.example.net
> > 	you will get a unexpected SOA records in the negative
> > 	response.
> >
> > 	Below is a example of such a bad delegation.  The last SOA
> > 	record should be owned by www.lawlink.nsw.gov.au not
> > 	lawlink.nsw.gov.au.  It results in SERVFAIL being returned.
> >
> > 	Mark
> >
> >
> > ; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;www.lawlink.nsw.gov.au.		IN	AAAA
> >
> > ;; Query time: 63 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Fri Sep  5 12:01:30 2008
> > ;; MSG SIZE  rcvd: 40
> >
> > ; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
> > ;; global options:  printcmd
> > .			440024	IN	NS	h.root-servers.net.
> > .			440024	IN	NS	d.root-servers.net.
> > .			440024	IN	NS	g.root-servers.net.
> > .			440024	IN	NS	i.root-servers.net.
> > .			440024	IN	NS	b.root-servers.net.
> > .			440024	IN	NS	l.root-servers.net.
> > .			440024	IN	NS	m.root-servers.net.
> > .			440024	IN	NS	e.root-servers.net.
> > .			440024	IN	NS	f.root-servers.net.
> > .			440024	IN	NS	a.root-servers.net.
> > .			440024	IN	NS	j.root-servers.net.
> > .			440024	IN	NS	c.root-servers.net.
> > .			440024	IN	NS	k.root-servers.net.
> > ;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
> >
> > au.			172800	IN	NS	ns1.audns.net.au.
> > au.			172800	IN	NS	dns1.telstra.net.
> > au.			172800	IN	NS	sec1.apnic.net.
> > au.			172800	IN	NS	sec3.apnic.net.
> > au.			172800	IN	NS	adns1.berkeley.edu.
> > au.			172800	IN	NS	adns2.berkeley.edu.
> > au.			172800	IN	NS	audns.optus.net.
> > au.			172800	IN	NS	aunic.aunic.net.
> > ;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 2
> 44 ms
> >
> > lawlink.nsw.gov.au.	3600	IN	NS	ns3.uecomm.net.au.
> > lawlink.nsw.gov.au.	3600	IN	NS	ns1.uecomm.net.au.
> > lawlink.nsw.gov.au.	3600	IN	NS	ns2.uecomm.net.au.
> > ;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms
> >
> > www.lawlink.nsw.gov.au.	3600	IN	NS	ns1.lawlink.nsw.gov.au.
> > www.lawlink.nsw.gov.au.	3600	IN	NS	ns2.lawlink.nsw.gov.au.
> > ;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms
> >
> > lawlink.nsw.gov.au.	86400	IN	SOA	lawlink.nsw.gov.au. administrat
> or.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
> > ;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list