Host would occasionally fail to resolve A's rec.Help!
Kevin Darcy
kcd at chrysler.com
Tue Sep 30 00:16:24 UTC 2008
Johnny wrote:
> Hi:
>
> My mail server would occasionally complain that the name server is not
> resolving a particular mx record's A record.
>
> (Name server: tamarindart.com.inbound10.mxlogic.net: host not found)
>
> How do go about debugging this? 99.9% it resolves without problem.
>
> Solaris 2.8/Bind 9.2.2
>
Well, if I were more of a smartass, I'd suggest that maybe the reason
for your query failures is that someone has poisoned your cache. BIND
9.2.2 is vulnerable to the awful "Kaminsky" exploit that has been
publicized heavily in the last few months. See the ISC website
(www.isc.org), BIND section, for information about the vulnerability,
and the minimum recommended versions in order to mitigate the risk.
In truth, however, I think you're probably running into a timeout issue.
The A records for the tamarindart.com MX-record targets are in a
different TLD than the domain itself -- .net as opposed to .com -- and
in a relatively-obscure domain. The nameservers for tamarindart.com are
(therefore) not giving out A records for the MX targets, thus forcing
the resolver to go and fetch those itself, possibly all the way up to
the root and following back down through .net. All that fetching can
take time. My initial query, over a pretty fast connection and
lightly-loaded resolver, took over 4 seconds to resolve the MX.
You might want to adjust your resolver timeout settings, if your mail
software allows you to do that. If not, you might be able to tweak the
timeouts/retries using "options" in /etc/resolv.conf (IIRC Solaris 8
supported /etc/resolv.conf options), in the hopes that multiple quick
queries might have more chance of getting the answer before the mail
software's query times out.
- Kevin
More information about the bind-users
mailing list