NOAA.GOV domain not working
Sten Carlsen
stenc at s-carlsen.dk
Mon Sep 18 16:26:32 UTC 2017
The noaa.gov name servers also have ipv6 addresses but I don't get a
reply from that address.
You may want to trace whether your name server is using that address
when you see the problem.
On 18/09/2017 17:17, Levesque, Ricky (SNB) wrote:
> Thanks Warren,
> I can query all the noaa.gov name servers without issues, and the replies are fast (sub 100ms)
>
> -----Original Message-----
> From: Warren Kumari [mailto:warren at kumari.net]
> Sent: September 18, 2017 12:06 PM
> To: Levesque, Ricky (SNB) <ricky.levesque at snb.ca>
> Cc: John Miller <johnmill at brandeis.edu>; bind-users at lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB) <ricky.levesque at snb.ca> wrote:
>> Thank you for your reply,
>> When I notice too many failed queries from this domain name
>> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc
>> reload), seems to allow queries to work. But still latent (in the
>> 3500ms range)
>>
>> This is what I get from a DIG +trace... the connection times out every time.
>> #dig +trace www.nhc.noaa.gov
>>
>> But if I try another domain, example: "cisco.com" it completes
>> properly #dig +trace cisco.com
>>
>> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers (8.8.8.8) and the query seems to time out as well.
>> # dig +trace www.nhc.noaa.gov @8.8.8.8
>>
>>
>> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*
>> +trace ;; global options: +cmd
>> . 434277 IN NS e.root-servers.net.
>> . 434277 IN NS d.root-servers.net.
>> . 434277 IN NS f.root-servers.net.
>> . 434277 IN NS a.root-servers.net.
>> . 434277 IN NS i.root-servers.net.
>> . 434277 IN NS h.root-servers.net.
>> . 434277 IN NS g.root-servers.net.
>> . 434277 IN NS l.root-servers.net.
>> . 434277 IN NS b.root-servers.net.
>> . 434277 IN NS k.root-servers.net.
>> . 434277 IN NS j.root-servers.net.
>> . 434277 IN NS c.root-servers.net.
>> . 434277 IN NS m.root-servers.net.
>> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed
>> DNS-SRV-IP*) in 4 ms
>>
>> gov. 172800 IN NS a.gov-servers.net.
>> gov. 172800 IN NS b.gov-servers.net.
>> gov. 172800 IN NS c.gov-servers.net.
>> gov. 172800 IN NS d.gov-servers.net.
>> gov. 86400 IN DS 7698 8 1 6F109B46A80CEA9613DC86D5A3E065520505AAFE
>> gov. 86400 IN DS 7698 8 2 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
>> gov. 86400 IN RRSIG DS 8 1 86400 20171001050000 20170918040000 15768 . TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
>> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64
>> ms
>>
>> noaa.gov. 86400 IN NS ns-e.noaa.gov.
>> noaa.gov. 86400 IN NS ns-mw.noaa.gov.
>> noaa.gov. 86400 IN NS ns-nw.noaa.gov.
>> noaa.gov. 3600 IN DS 13774 5 1 4823D2F9C36F98D586ECCD779731F813218BD875
>> noaa.gov. 3600 IN DS 13774 5 2 C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
>> noaa.gov. 3600 IN RRSIG DS 8 2 3600 20170925101007 20170918101007 21428 gov. UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
>> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>>
>> ;; connection timed out; no servers could be reached
>>
> Huh. Weird.
>
> Try:
> dig www.nhc.noaa.gov @ns-e.noaa.gov.
> dig www.nhc.noaa.gov @ns-mw.noaa.gov.
> dig www.nhc.noaa.gov @ns-nw.noaa.gov.
>
> and:
> dig -4 www.nhc.noaa.gov @ns-e.noaa.gov.
> dig -4 www.nhc.noaa.gov @ns-mw.noaa.gov.
> dig -4 www.nhc.noaa.gov @ns-nw.noaa.gov.
>
> and
> dig +tcp www.nhc.noaa.gov @ns-e.noaa.gov.
> dig +tcp www.nhc.noaa.gov @ns-mw.noaa.gov.
> dig +tcp www.nhc.noaa.gov @ns-nw.noaa.gov.
>
>
> and also:
> traceroute ns-e.noaa.gov.
> traceroute ns-mw.noaa.gov.
> traceroute ns-nw.noaa.gov.
>
>
> What address range are you coming from? It sounds like you cannot reach the noaa.gov nameservers (or they cannot reach you!)
>
> W
>
>>
>> -----Original Message-----
>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf
>> Of John Miller
>> Sent: September 18, 2017 11:03 AM
>> Cc: bind-users at lists.isc.org
>> Subject: Re: NOAA.GOV domain not working
>>
>> Hi Ricky,
>>
>> Try running a "dig +trace www.nhc.noaa.gov," then query each record in the chain and see which one's slow to respond. I don't see anything crazy in your named.conf. Something you didn't mention: does clearing cache make a difference?
>>
>> John
>> --
>> John Miller
>> Systems Engineer
>> Brandeis University
>> johnmill at brandeis.edu
>>
>>
>> On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB)
>> <ricky.levesque at snb.ca> wrote:
>>> Good day,
>>>
>>> I’ve been having an interesting issue with BIND and wondering if
>>> anyone has had this before or knows how to fix it.
>>>
>>>
>>>
>>> The issue is,
>>>
>>> I have 2 recursive/caching DNS servers running BIND
>>> 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this
>>> particular domain.
>>>
>>> Noaa.gov (as well as its sub domains. Specifically – www.nhc.noaa.gov
>>> )
>>>
>>> By slow I mean, it takes approximately 3500ms to query while most
>>> other domains take less than 100ms to query.
>>>
>>> What’s worst, the domains (noaa.gov) becomes unqueriable after a few
>>> hours or a day and I need to clear the DNS servers cache to allow it
>>> to work again.
>>>
>>>
>>>
>>> The domains have very very low TTL’s (30s) and use DNSsec
>>>
>>>
>>>
>>> Error:
>>>
>>> ##dig www.nhc.noaa.gov
>>>
>>> ;; Got answer:
>>>
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
>>>
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 7
>>>
>>>
>>>
>>> ;; OPT PSEUDOSECTION:
>>>
>>> ; EDNS: version: 0, flags:; udp: 4096
>>>
>>> ;; QUESTION SECTION:
>>>
>>> ;www.nhc.noaa.gov. IN A
>>>
>>>
>>>
>>>
>>>
>>> Fixes I have attempted so far:
>>>
>>> Reboot servers (2 centos servers running on vmware)
>>>
>>> Update system
>>>
>>> Try a default config file
>>>
>>> Updated vmware tools
>>>
>>> Clear DNS cache (temporary fix)
>>>
>>> Checked firewall for abnormal data
>>>
>>> Updated root hints
>>>
>>>
>>>
>>> Config:
>>>
>>>
>>>
>>> acl internal {
>>>
>>> *removed*;
>>>
>>> localhost;
>>>
>>> };
>>>
>>>
>>>
>>> options {
>>>
>>> listen-on port 53 { *removed*;
>>>
>>> 127.0.0.1;
>>>
>>> ;
>>>
>>> };
>>>
>>> listen-on-v6 port 53 { none;
>>>
>>> #::1;
>>>
>>> };
>>>
>>> directory "/var/named";
>>>
>>> dump-file "/var/named/data/cache_dump.db";
>>>
>>> statistics-file "/var/named/data/named_stats.txt";
>>>
>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>
>>>
>>>
>>> dnssec-enable no;
>>>
>>> dnssec-validation no;
>>>
>>> dnssec-lookaside auto;
>>>
>>>
>>>
>>> // Conform to RFC1035
>>>
>>> auth-nxdomain no;
>>>
>>>
>>>
>>> // Allowed Port Ranges
>>>
>>> use-v4-udp-ports { range 32768 65535; };
>>>
>>> use-v6-udp-ports { range 32768 65535; };
>>>
>>> recursive-clients 15000;
>>>
>>> server-id none;
>>>
>>> version none;
>>>
>>> interface-interval 0;
>>>
>>> allow-query { internal;
>>>
>>> };
>>>
>>> allow-recursion { internal;
>>>
>>> };
>>>
>>> max-ncache-ttl 3600;
>>>
>>> allow-query-cache { internal;
>>>
>>> };
>>>
>>> };
>>>
>>>
>>>
>>> logging {
>>>
>>> channel default_debug {
>>>
>>> syslog local4;
>>>
>>> severity debug;
>>>
>>> };
>>>
>>> };
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
> ---maf
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170918/2bac45fd/attachment.html>
More information about the bind-users
mailing list