Recursive queries not working

Kevin Darcy kcd at chrysler.com
Mon Jan 23 22:51:44 UTC 2012 

Offhand, it looks like you might have DNSSEC validation turned on (thus 
making responses from the GTLD nameservers bigger than 512 bytes; note 
that all of the GTLD-server responses in that tcpdump have truncation 
flagged), your EDNS0 buffer tuned down to 512 bytes ("edns-udp-size 
512", thus eliminating UDP as an option for those big responses), and 
then something in your network is sending RSTs to every attempt at a 
DNS/TCP connection (thus eliminating TCP as an option too).

Something's gotta give. You can't expect reasonable resolution while all 
3 of those conditions prevail.

Note that your "dig"s don't have +dnssec, +bufsize=xxxxx, or +norec, so 
they're really not an apples-to-apples comparison to what named itself 
is generating.

                                                                         
                                                                         
     - Kevin
On 1/23/2012 4:06 PM, Steven Vona wrote:
> I am posting here as a last resort and hope someone can help me.
>
> I am running RHEL6 and installed bind-chroot package. I have tried 
> everything, and even posted to a linux forum I belong to for help.  
> After three pages and a boat load of troubleshooting no resolution.
>
> Here is a link to the 3 page forum thread if your interested in seeing 
> all that we tried to do. There is debug information and even tcpdump 
> info in there.
> http://www.linuxquestions.org/questions/linux-server-73/bind-dns-recursion-now-working-924978/
>
> If anyone can help it would be greatly appreciated.  If you need any 
> more information please let me know.
>
>
> This DNS server does not answer recursive queries.  Here is my config.
>
> options {
>     directory     "/var/named";
>     allow-query { any; };
>     recursion yes;
>         edns-udp-size 512;
>         listen-on-v6 { none; };
> };
> logging{
>         channel query_log {
>         file "ns1-bind.log" versions unlimited size 100m;
>         severity info;
>         print-time yes;
>         print-severity yes;
>         print-category yes;
>         };
>         category xfer-in{ query_log; };
>         category xfer-out{ query_log; };
>         category update{ query_log; };
>         category general{ query_log; };
>         category queries{ query_log; };
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
>
> key "dnsadmin" {
>     algorithm hmac-md5;
>     secret "pjbruihfeuhruehferfw=";
> };
>
> controls {
>   inet 127.0.0.1 allow { localhost; } keys { dnsadmin; };
> };
>
>
> zone "." IN {
>     type hint;
>     file "named.ca <http://named.ca>";
> };
>
> include "/etc/named.rfc1912.zones";
>
>
>
>
> When I try to query google.com <http://google.com> it just hangs then 
> returns a servfail:
> # dig @localhost google.com <http://google.com>
>
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @localhost 
> google.com <http://google.com>
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58542
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;google.com <http://google.com>.            IN    A
>
> ;; Query time: 2695 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Jan 23 16:01:27 2012
> ;; MSG SIZE  rcvd: 28
>
>
> If I do a dig with +trace at the end it works:
> [root at ns1 etc]# dig @localhost google.com <http://google.com> +trace
>
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @localhost 
> google.com <http://google.com> +trace
> ; (2 servers found)
> ;; global options: +cmd
> .            518342    IN    NS d.root-servers.net 
> <http://d.root-servers.net>.
> .            518342    IN    NS c.root-servers.net 
> <http://c.root-servers.net>.
> .            518342    IN    NS b.root-servers.net 
> <http://b.root-servers.net>.
> .            518342    IN    NS a.root-servers.net 
> <http://a.root-servers.net>.
> .            518342    IN    NS l.root-servers.net 
> <http://l.root-servers.net>.
> .            518342    IN    NS f.root-servers.net 
> <http://f.root-servers.net>.
> .            518342    IN    NS g.root-servers.net 
> <http://g.root-servers.net>.
> .            518342    IN    NS j.root-servers.net 
> <http://j.root-servers.net>.
> .            518342    IN    NS e.root-servers.net 
> <http://e.root-servers.net>.
> .            518342    IN    NS h.root-servers.net 
> <http://h.root-servers.net>.
> .            518342    IN    NS i.root-servers.net 
> <http://i.root-servers.net>.
> .            518342    IN    NS m.root-servers.net 
> <http://m.root-servers.net>.
> .            518342    IN    NS k.root-servers.net 
> <http://k.root-servers.net>.
> ;; Received 340 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
>
> com.            172800    IN    NS a.gtld-servers.net 
> <http://a.gtld-servers.net>.
> com.            172800    IN    NS b.gtld-servers.net 
> <http://b.gtld-servers.net>.
> com.            172800    IN    NS c.gtld-servers.net 
> <http://c.gtld-servers.net>.
> com.            172800    IN    NS d.gtld-servers.net 
> <http://d.gtld-servers.net>.
> com.            172800    IN    NS e.gtld-servers.net 
> <http://e.gtld-servers.net>.
> com.            172800    IN    NS f.gtld-servers.net 
> <http://f.gtld-servers.net>.
> com.            172800    IN    NS g.gtld-servers.net 
> <http://g.gtld-servers.net>.
> com.            172800    IN    NS h.gtld-servers.net 
> <http://h.gtld-servers.net>.
> com.            172800    IN    NS i.gtld-servers.net 
> <http://i.gtld-servers.net>.
> com.            172800    IN    NS j.gtld-servers.net 
> <http://j.gtld-servers.net>.
> com.            172800    IN    NS k.gtld-servers.net 
> <http://k.gtld-servers.net>.
> com.            172800    IN    NS l.gtld-servers.net 
> <http://l.gtld-servers.net>.
> com.            172800    IN    NS m.gtld-servers.net 
> <http://m.gtld-servers.net>.
> ;; Received 488 bytes from 199.7.83.42#53(l.root-servers.net 
> <http://l.root-servers.net>) in 42 ms
>
> google.com <http://google.com>.        172800    IN    NS 
> ns2.google.com <http://ns2.google.com>.
> google.com <http://google.com>.        172800    IN    NS 
> ns1.google.com <http://ns1.google.com>.
> google.com <http://google.com>.        172800    IN    NS 
> ns3.google.com <http://ns3.google.com>.
> google.com <http://google.com>.        172800    IN    NS 
> ns4.google.com <http://ns4.google.com>.
> ;; Received 164 bytes from 192.54.112.30#53(h.gtld-servers.net 
> <http://h.gtld-servers.net>) in 97 ms
>
> google.com <http://google.com>.        300    IN    A    74.125.115.99
> google.com <http://google.com>.        300    IN    A    74.125.115.106
> google.com <http://google.com>.        300    IN    A    74.125.115.104
> google.com <http://google.com>.        300    IN    A    74.125.115.103
> google.com <http://google.com>.        300    IN    A    74.125.115.105
> google.com <http://google.com>.        300    IN    A    74.125.115.147
> ;; Received 124 bytes from 216.239.32.10#53(ns1.google.com 
> <http://ns1.google.com>) in 30 ms
>
> You have new mail in /var/spool/mail/root
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120123/aee2d242/attachment.html>

More information about the bind-users mailing list