Client cannot resolve communities.intel.com

Mark Andrews marka at isc.org
Tue Jul 5 03:56:11 UTC 2011 

In message <d4cab5be198fc64c3c372271709f4b83 at prod.iotk.net>, vr writes:
>  Hello,
> 
>  I am trying to visit "http://communities.intel.com" using Iceweasel on 
>  a Debian desktop PC. No proxies.
> 
>  My clients etc/resolv.conf point to my own Debian BIND 9.7.3 installed 
>  on a separate server and installed from distribution packages (bind9  
>  1:9.7.3.dfsg-1~squeeze2).
> 
>  From myDesktop, NSLOOKUP fails but DIG shows a CNAME record. I see the 
>  same results from the BIND server so I've included just the output from 
>  myDesktop below. Also included below is my named.conf.

The answers are consistent.  Nslookup searches and doesn't stop on
NODATA and it doesn't cope with a CNAME + referral response which
it interprets as a NODATA response.
 
>  Do I have something obvious in BIND screwed up? Or is my client/browser 
>  broken? Or...?

Your allow-recursion acl is not broad enough.

>  ----------------------------------------------------------
> 
>  me at myDesktop:~$ nslookup communities.intel.com ns.iotk.net
>  Server:         ns.iotk.net
>  Address:        99.30.25.1#53
> 
>  ** server can't find communities.intel.com: NXDOMAIN
> 
>  ----------------------------------------------------------
> 
>  me at myDesktop:~$ dig communities.intel.com ns.iotk.net

Please learn how to drive dig.  You wanted to do:

	dig communities.intel.com @ns.iotk.net

>  ; <<>> DiG 9.6-ESV-R3 <<>> communities.intel.com ns.iotk.net
>  ;; global options: +cmd
>  ;; Got answer:
>  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7908
>  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

The resolver is pointing at a nameserver that doesn't offer recursion
to this client (no "ra" in the flags section).

>  ;; QUESTION SECTION:
>  ;communities.intel.com.         IN      A
> 
>  ;; ANSWER SECTION:
>  communities.intel.com.  207     IN      CNAME   intel-2.hs.llnwd.net.
> 
>  ;; AUTHORITY SECTION:
>  llnwd.net.              604800  IN      SOA     localhost. 
>  root.localhost. 2008071301 604800 86400 2419200 604800
> 
>  ;; Query time: 2 msec
>  ;; SERVER: 99.30.25.1#53(99.30.25.1)
>  ;; WHEN: Mon Jul  4 22:51:42 2011
>  ;; MSG SIZE  rcvd: 123
> 
>  named.conf on 99.30.25.1
> 
>      controls {
>          inet 127.0.0.1 port 953
>          allow { 127.0.0.1; } keys { "rndc-key"; };
>      };
> 
>      acl "iotk" {
>          127.0.0.1;              // localhost
>          99.30.25.0/29;          // static range
>          !192.168.0.254;         // not the router
>          192.168.0.0/24;         // internal network
>          10.10.10.0/8;           // backup network
>      };
> 
>      options {
>          directory "/etc/bind/";
>                  listen-on { 99.30.25.1; };
>                  allow-recursion { iotk; };              // ddos 
>  prevention
>                  interface-interval 0;                   // no dynamic 
>  ifaces
>          //      allow-query { iotk; };                  // this limits 
>  ALL zones
>                  allow-transfer { iotk; };               // this limits 
>  ALL zones
>                  transfer-format many-answers;           // faster 
>  transfers
>                  version "DNS Server";                   // hides BIND 
>  version
>                  statistics-file "/var/log/bind/stats.log";
>                  auth-nxdomain yes;
>          };
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list