Intermittent NXDOMAIN, Bind 9.2.3 config and PowerDNS problem?
Richard
richard.traveling at gmail.com
Mon Jul 27 09:36:29 UTC 2009
Hello list,
I am trying to diagnose an intermittent DNS failure. I am not sure
where this problem lies; either with my DNS configuration, the ISP
DNS, or the third-party DNS. I've reviewed RFCs 1034, 1035 and 2181
to gain a better understanding. I have a hunch what is (possibly)
wrong.
(This problem involves bind, but it's not about bind strictly
speaking. Is there a general DNS discussion list somewhere? If so,
please direct me.)
The problem
-----------
Queries of "agences.fr.lastminute.com" against two servers of the
French ISP Free.fr, dns{1,2}.proxad.net, fail occasionally with
NXDOMAIN.
Queries against other nameservers do not fail (repeated many times).
I think there is..
1/ an issue with PowerDNS on the Free.fr resolvers, which is
interacting with
2/ a bad configuration of Bind 9.2.3 for lastminute.com
The diagnosis/info
------------------
Below I've shown provided queries against Free.fr DNS servers for host
"agences.fr.lastminute.com", followed by queries against the
lastminute.com DNS servers.
Queries of "agences.fr.lastminute.com": success, followed by NXDOMAIN,
success again:
Note: In the query responses, the TTL values jump around, therefore I
am guessing there is load balancing behind dns{1,2}.proxad.net. I
believe PowerDNS 3.7.1 is running on dns{1,2}.proxad.net. Perhaps the
NXDOMAIN is being returned, then the information is being added to the
proxad cache, and subsequent queries using a resolver with cached data
succeed? There is discussion of a similar sounding problem with
PowerDNS 3.1.7 here: http://marc.info/?l=pdns-users&m=121942269602306&w=2
[localhost ~]$ dig @dns1.proxad.net agences.fr.lastminute.com
; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> @dns1.proxad.net
agences.fr.lastminute.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61803
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;agences.fr.lastminute.com. IN A
;; ANSWER SECTION:
agences.fr.lastminute.com. 188 IN CNAME pos1.leadformance.com.
pos1.leadformance.com. 3216 IN CNAME www01.leadformance.com.
www01.leadformance.com. 60 IN A 88.191.95.212
;; Query time: 59 msec
;; SERVER: 212.27.40.240#53(212.27.40.240)
;; WHEN: Mon Jul 27 10:47:16 2009
;; MSG SIZE rcvd: 111
[localhost ~]$ dig @dns1.proxad.net agences.fr.lastminute.com
; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> @dns1.proxad.net
agences.fr.lastminute.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61043
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;agences.fr.lastminute.com. IN A
;; ANSWER SECTION:
agences.fr.lastminute.com. 600 IN CNAME pos1.leadformance.com.
;; AUTHORITY SECTION:
com. 60 IN SOA 3dns0.pwg.lastminute.com. hostmaster.
3dns0.pwg.lastminute.com. 4 10800 3600 604800 60
;; Query time: 53 msec
;; SERVER: 212.27.40.240#53(212.27.40.240)
;; WHEN: Mon Jul 27 10:47:19 2009
;; MSG SIZE rcvd: 132
[localhost ~]$ dig @dns1.proxad.net agences.fr.lastminute.com
; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> @dns1.proxad.net
agences.fr.lastminute.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52078
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;agences.fr.lastminute.com. IN A
;; ANSWER SECTION:
agences.fr.lastminute.com. 580 IN CNAME pos1.leadformance.com.
pos1.leadformance.com. 3600 IN CNAME www01.leadformance.com.
www01.leadformance.com. 60 IN A 88.191.95.212
;; Query time: 58 msec
;; SERVER: 212.27.40.240#53(212.27.40.240)
;; WHEN: Mon Jul 27 10:47:23 2009
;; MSG SIZE rcvd: 111
If I find a lastminute.com DNS server (I think they run Bind 9.2.3),
and query it directly:
[localhost ~]$ host -t ns lastminute.com dns1.proxad.net
Using domain server:
Name: dns1.proxad.net
Address: 212.27.40.240#53
Aliases:
lastminute.com name server 3dns0.pwg.lastminute.com.
lastminute.com name server 3dns1.pct.lastminute.com.
Note: What confuses me in the response below is the AUTHORITY
SECTION. RFCs 1034 and 1035 indicate it is permissible to return an
SOA record here for negative caching, however it should be for the
domain of the queried name. Therefore, I would expect to see an SOA
record for "lastminute.com.", not "com." (or, if is for "com.", then
one of the root servers, not the lastminute server itself). This
response appears to indicate that 3dns0.pwg.lastminute.com is
authoritative for "com.".
Furthermore, as it rejects recursive queries (makes sense), perhaps it
is confusing the querying server, who then tries to use it (since it's
claimed authority for "com.")? In any case, I think it would be
preferable to return the helping NS records for
"leadformance.com" (based on the CNAME data).
Is this bind misconfigured, returning to the public the SOA for "com."
as their own lastminute.com server and no NS records?
[localhost ~]$ dig agences.fr.lastminute.com @3dns0.pwg.lastminute.com
; <<>> DiG 9.6.1-RedHat-9.6.1-3.fc11 <<>> agences.fr.lastminute.com
@3dns0.pwg.lastminute.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49649
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;agences.fr.lastminute.com. IN A
;; ANSWER SECTION:
agences.fr.lastminute.com. 600 IN CNAME pos1.leadformance.com.
;; AUTHORITY SECTION:
com. 60 IN SOA 3dns0.pwg.lastminute.com. hostmaster.
3dns0.pwg.lastminute.com. 4 10800 3600 604800 60
;; Query time: 51 msec
;; SERVER: 213.86.177.189#53(213.86.177.189)
;; WHEN: Mon Jul 27 11:01:16 2009
;; MSG SIZE rcvd: 132
Can anyone shed some light on this? I'm having trouble reaching the
support people for the various networks, but I need to diagnose this
and make suggestions to them and/or work around the problem.
Much thanks!
Regards,
Richard
More information about the bind-users
mailing list