Unable to resolve several hosts
Baird, Josh
jbaird at follett.com
Tue Jun 29 21:54:32 UTC 2010
Hi,
We have clients that have started to report that they are not able to
resolve certain hosts from our recursing/caching resolvers (BIND
9.3.6-4/EL5). I am wondering if this has something to do with EDNS or
the DNSSEC rollout to root servers on May 5th.. or perhaps with our
Cisco ASA's at the edge of these resolvers (DNS Inspection, etc). Two
of these hostnames in particular are noaa.gov and www.arcytech.org:
$ dig www.noaa.gov +trace @fc-wmdns1
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.noaa.gov +trace
@fc-wmdns1
;; global options: printcmd
. 518353 IN NS k.root-servers.net.
. 518353 IN NS l.root-servers.net.
. 518353 IN NS m.root-servers.net.
. 518353 IN NS a.root-servers.net.
. 518353 IN NS b.root-servers.net.
. 518353 IN NS c.root-servers.net.
. 518353 IN NS d.root-servers.net.
. 518353 IN NS e.root-servers.net.
. 518353 IN NS f.root-servers.net.
. 518353 IN NS g.root-servers.net.
. 518353 IN NS h.root-servers.net.
. 518353 IN NS i.root-servers.net.
. 518353 IN NS j.root-servers.net.
;; Received 500 bytes from 172.26.128.175#53(172.26.128.175) in 1 ms
;; connection timed out; no servers could be reached
--
Looking at the query log on FC-WMDNS1, I see:
29-Jun-2010 16:35:39.386 queries: info: client 172.26.101.56#44428:
query: . IN NS -
--
There is no firewall between the machine that I ran dig on, and the
FC-WMDNS1 resolver.
I'm not sure if this is relevant, but the resolver does support EDNS0:
$ dig @fc-wmdns1 +noall +comments +bufsize=1 query
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46378
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
--
Would someone mind giving me a hand in determining what is happening
here? I'd be happy to provide more data if necessary.
Thanks,
Josh
More information about the bind-users
mailing list