Re: BIND9 fails resolving after connecting to VPN

[kapetr]

Hello,

Kevin Darcy <kcd at chrysler.com> WROTE:

> > Do You thing, that this VPN provider
> > - blocks direct (not recursive) DNS questions
> > and
> > > - manipulates recursive queries ? [catch them,
> > make query itself and
> > > answers with manipulated server IP]
> >
> > ???
> None of your queries were non-recursive (you'd
> need "+norec" on your dig 
> command line for that), so I wouldn't jump to the
> conclusion that 
> non-recursive queries are being blocked.

I did mean queries from my local BIND, not from dig command.

> 
> What's more likely happening is that *all* of your
> queries are being 
> transparently redirected to a recursive resolver.
> Although, I'd be 
> curious to see what responses you get if you
> actually generate 
> non-recursive queries (with the "+norec").
> 

I have  try it. Unfortunately ...

I have get normal answers (from DNS server in Internet, which was
accessed over the new default route == over VPN) even with
+norecurse or +trace. These non-recurse queries have go over the VPN
 and I have get normal answers. :-(

I have hope/thing, we are on the right way to solve the problem ...

But the only who get crazy is still only the local BIND. 
Recurse and non-recurse queries goes over the VPN without problems.
I have follow that in wireshark and routing and source addresses
seems to be OK.


> If it's redirecting non-recursive queries to some
> caching nameserver, 
> then that probably explains why named goes stupid
> when the VPN is up, 
> since it won't be able to use the
> non-authoritative answers it sees.


As I wrote in previous post, there must be something ..., while the
root server has give recursive answer while VPN and not while normal
direct connection to Internet.

But about the non-recurse queries ... see above.


> 
> - Kevin

Any other Ideas ?

Thanks

--kapetr