host unreachable. -- a bit more info

[David Sparro]

On 1/10/2011 2:04 PM, Jay G. Scott wrote:
> On Mon, Jan 10, 2011 at 12:41:48PM -0600, Jay G. Scott wrote:
>>
>> hi,
>>
>> thanks for the replies.  however, i didn't learn much.  i'm more of
>> a network newbie than i thought.
>>
>> but what i can say is this:
>>
>> (repeating the problem)
>> i get zillions of these msgs:
>> Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable
>>
>> i CAN do an AXFR from 10.4.1.6 to ns2
>> that is,
>> dig @10.4.1.6 arlut.utexas.edu AXFR
>> does give me output.
>>
>> on 10.4.1.6,
>> dig @146.6.211.1 arlut.utexas.edu AXFR
>>
>> ;<<>>  DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3<<>>  @146.6.211.1 arlut.utexas.edu AXFR
>> ; (1 server found)
>> ;; global options:  printcmd
>> ; Transfer failed.
>>
>> now, when i attempt that AXFR, the error message is NOT like
>> the symptom i have.
>>
>> so i conclude that my problem is not AXFR (or IXFR, similar experiment).
>>
>> so what is this msg talking about?
>> Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable
>>
>> i'm starting to think it might be just an ordinary dns lookup.
>
> heh.  no.  of course not.  suddenly realized that i could test
> that, and, no, that's not it.
>
> so what could it be?
>

If you're getting normal DNS queries from that IP (as well as the zone 
transfers), and there is a stateful firewall in front of it, it could 
still be ordinary queries that end up timing out when your server 
attempts to get an answer from the Internet.   The problem would be that 
the state table entry in the firewall times out faster that BIND gives 
up on a query, so by the time your server sends the failure response, 
the firewall has already aged out that connection and blocks the answer.

-- 
Dave