connection timed out; no servers could be reached

Bill Landry bill at inetmsg.com
Sun Mar 8 01:44:33 UTC 2009 

Hi list,

I have to admit that I am a bit baffled by this one.  I can query
against my bandwidth providers name servers (Comcast) and get name
resolution just fine for the hostname www.malware.com.br:

dig @68.87.78.130 www.malware.com.br +short
server10.hiperlinks.com.br.
66.79.164.43

dig @68.87.85.98 www.malware.com.br +short
server10.hiperlinks.com.br.
66.79.164.43

dig @68.87.69.146 www.malware.com.br +short
server10.hiperlinks.com.br.
66.79.164.43

Full response for www.malware.com.br:
www.malware.com.br.  85091  IN  CNAME  server10.hiperlinks.com.br.
server10.hiperlinks.com.br.  84478  IN  A  66.79.164.43

I can resolve the cname from Comcast's name servers, as well:

dig @68.87.69.146 server10.hiperlinks.com.br +short
66.79.164.43

However, when I attempt to resolve it from my own name servers, I get:

dig www.malware.com.br

; <<>> DiG 9.5.1-P1-RedHat-9.5.1-1.P1.fc10 <<>> www.malware.com.br
;; global options:  printcmd
;; connection timed out; no servers could be reached

A tshark packet capture sees this:
  1   3.362200  10.20.30.25 -> 192.228.79.201 DNS Standard query A
www.malware.com.br
  2   3.405447 192.228.79.201 -> 10.20.30.25  DNS Standard query response
  3   3.406198  10.20.30.25 -> 200.160.0.10 DNS Standard query A
www.malware.com.br
  4   3.639178 200.160.0.10 -> 10.20.30.25  DNS Standard query response
  5   3.639707  10.20.30.25 -> 207.210.65.98 DNS Standard query A
www.malware.com.br
  6   4.440080  10.20.30.25 -> 207.210.106.74 DNS Standard query A
www.malware.com.br
  7   5.240344  10.20.30.25 -> 207.210.65.98 DNS Standard query A
www.malware.com.br
  8   6.040619  10.20.30.25 -> 207.210.106.74 DNS Standard query A
www.malware.com.br
  9   6.840736  10.20.30.25 -> 207.210.65.98 DNS Standard query A
www.malware.com.br
 10   7.815988  10.20.30.25 -> 161.53.3.7   DNS Standard query PTR
130.6.53.161.in-addr.arpa
 11   8.024571   161.53.3.7 -> 10.20.30.25  DNS Standard query response
 12   8.440845  10.20.30.25 -> 207.210.106.74 DNS Standard query A
www.malware.com.br
 13  10.041156  10.20.30.25 -> 207.210.65.98 DNS Standard query A
www.malware.com.br
 14  13.241255  10.20.30.25 -> 207.210.106.74 DNS Standard query A
www.malware.com.br
 15  16.441690  10.20.30.25 -> 207.210.65.98 DNS Standard query A
www.malware.com.br

I can't seem to get the "A" record back.  However, I can ping the IP
address associate with www.malware.com.br (and the cname):

ping 66.79.164.43
PING 66.79.164.43 (66.79.164.43) 56(84) bytes of data.
64 bytes from 66.79.164.43: icmp_seq=1 ttl=52 time=35.2 ms
64 bytes from 66.79.164.43: icmp_seq=2 ttl=52 time=35.1 ms
64 bytes from 66.79.164.43: icmp_seq=3 ttl=52 time=35.6 ms

and http://66.79.164.43 to the web site works fine, as well.

So I decided to add this forwarder to my named.conf:

zone "malware.com.br" IN {
        type forward;
        forward only;
        forwarders { 68.87.69.146; 68.87.85.98; 68.87.78.130; };
};

Now tshark sees this:

  1   0.000000  10.20.30.25 -> 68.87.78.130 DNS Standard query A
www.malware.com.br
  2   0.026561 68.87.78.130 -> 10.20.30.25  DNS Standard query response
CNAME server10.hiperlinks.com.br A 66.79.164.43
  3   0.028011  10.20.30.25 -> 198.41.0.4   DNS Standard query A
server10.hiperlinks.com.br
  4   0.063503   198.41.0.4 -> 10.20.30.25  DNS Standard query response
  5   0.064289  10.20.30.25 -> 200.219.154.10 DNS Standard query A
server10.hiperlinks.com.br
  6   0.094948 200.219.154.10 -> 10.20.30.25  DNS Standard query response
  7   0.095515  10.20.30.25 -> 207.210.65.98 DNS Standard query A
server10.hiperlinks.com.br
  8   0.895835  10.20.30.25 -> 207.210.106.74 DNS Standard query A
server10.hiperlinks.com.br
  9   1.695917  10.20.30.25 -> 207.210.65.98 DNS Standard query A
server10.hiperlinks.com.br
 10   2.496138  10.20.30.25 -> 207.210.106.74 DNS Standard query A
server10.hiperlinks.com.br
 11   3.296429  10.20.30.25 -> 207.210.65.98 DNS Standard query A
server10.hiperlinks.com.br
 12   4.896444  10.20.30.25 -> 207.210.106.74 DNS Standard query A
server10.hiperlinks.com.br
 13   6.496551  10.20.30.25 -> 207.210.65.98 DNS Standard query A
server10.hiperlinks.com.br
 14   9.696652  10.20.30.25 -> 207.210.106.74 DNS Standard query A
server10.hiperlinks.com.br
 15  12.896772  10.20.30.25 -> 207.210.65.98 DNS Standard query A
server10.hiperlinks.com.br
 16  19.296915  10.20.30.25 -> 207.210.106.74 DNS Standard query A
server10.hiperlinks.com.br

Can't get the "A" record back from the cname (same IP as the hostname,
so that doesn't surprise me).

So I add this forwarder to my named.conf, as well:

zone "hiperlinks.com.br" IN {
        type forward;
        forward only;
        forwarders { 68.87.69.146; 68.87.85.98; 68.87.78.130; };
};

And now I can get full name resolution.  Now tshark sees this:

  1   0.000000  10.20.30.25 -> 68.87.69.146 DNS Standard query A
www.malware.com.br
  2   0.019721 68.87.69.146 -> 10.20.30.25  DNS Standard query response
CNAME server10.hiperlinks.com.br A 66.79.164.43
  3   0.021319  10.20.30.25 -> 68.87.85.98  DNS Standard query A
server10.hiperlinks.com.br
  4   0.060083  68.87.85.98 -> 10.20.30.25  DNS Standard query response
A 66.79.164.43

Beautiful!  Taking both of the forwards out and placing this one in
named.conf works as well:

zone "com.br" IN {
        type forward;
        forward only;
        forwarders { 68.87.69.146; 68.87.85.98; 68.87.78.130; };
};

But I'm still wondering why I can't seem to get name resolution for the
www.malware.com.br myself?  I run SpamAssassin, rsync, http, ftp, smtp,
imap on this server as well, and this is the only hostname I have found
that I cannot resolve myself.

Why can my ISP, Comcast, resolve the host name but I can't?  Any
explanation would be greatly appreciated, and any suggestion on how to
resolve this without using forwarders would be nice too.

Thanks!

Bill

More information about the bind-users mailing list