Unable to resolve several hosts

Baird, Josh jbaird at follett.com
Tue Jun 29 22:16:08 UTC 2010 

Ok, so I answered my own question.  It was indeed our ASA's at the
border.

Thanks,

Josh

-----Original Message-----
From: bind-users-bounces+jbaird=follett.com at lists.isc.org
[mailto:bind-users-bounces+jbaird=follett.com at lists.isc.org] On Behalf
Of Baird, Josh
Sent: Tuesday, June 29, 2010 4:55 PM
To: bind-users at lists.isc.org
Subject: Unable to resolve several hosts

Hi,

We have clients that have started to report that they are not able to
resolve certain hosts from our recursing/caching resolvers (BIND
9.3.6-4/EL5).  I am wondering if this has something to do with EDNS or
the DNSSEC rollout to root servers on May 5th.. or perhaps with our
Cisco ASA's at the edge of these resolvers (DNS Inspection, etc).  Two
of these hostnames in particular are noaa.gov and www.arcytech.org:

$ dig www.noaa.gov +trace @fc-wmdns1

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.noaa.gov +trace
@fc-wmdns1
;; global options:  printcmd
.                       518353  IN      NS      k.root-servers.net.
.                       518353  IN      NS      l.root-servers.net.
.                       518353  IN      NS      m.root-servers.net.
.                       518353  IN      NS      a.root-servers.net.
.                       518353  IN      NS      b.root-servers.net.
.                       518353  IN      NS      c.root-servers.net.
.                       518353  IN      NS      d.root-servers.net.
.                       518353  IN      NS      e.root-servers.net.
.                       518353  IN      NS      f.root-servers.net.
.                       518353  IN      NS      g.root-servers.net.
.                       518353  IN      NS      h.root-servers.net.
.                       518353  IN      NS      i.root-servers.net.
.                       518353  IN      NS      j.root-servers.net.
;; Received 500 bytes from 172.26.128.175#53(172.26.128.175) in 1 ms

;; connection timed out; no servers could be reached

--

Looking at the query log on FC-WMDNS1, I see:

29-Jun-2010 16:35:39.386 queries: info: client 172.26.101.56#44428:
query: . IN NS -

--

There is no firewall between the machine that I ran dig on, and the
FC-WMDNS1 resolver.  

I'm not sure if this is relevant, but the resolver does support EDNS0:

$ dig @fc-wmdns1 +noall +comments +bufsize=1 query
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46378
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

--

Would someone mind giving me a hand in determining what is happening
here?  I'd be happy to provide more data if necessary.

Thanks,

Josh
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list