How do I debug if the queries are not getting resolved?
Grant Taylor
gtaylor at tnetconsulting.net
Tue Dec 12 02:41:19 UTC 2023
On 12/11/23 18:47, Blason R wrote:
> Oh I forgot to tell you that. This is BIND RPZ and all the queries are
> recursive.
Okay, what RPZ configuration do you have? Is it messing with the
queries you're testing in any way?
What configuration do you have for RPZ related to DNSSEC?
> Dig output just dies out and does not spit anything.
Please elaborate on "just dies". Does the dig abort / terminate / fail
and immediately return you to a command prompt? Or does it simply take
longer than you are allowing it to run?
What happens if you allow dig to run for 5-8 minutes? It should timeout
sometime long before 8 minutes and print something germane to the terminal.
I think that a network sniffer while running dig tests above is a very
helpful thing. #trustTheBitsOnTheWire
> And this specifically i noticed with .gov and .gov.in <http://gov.in>
> domain. This is the reason I thing it might be related with DNSSEC.
RPZ and DNSSEC have an interesting relationship.
What happens if you do a `\dig +trace` on the name you're testing?
N.B. the leading backslash is important to disable any local shell aliasing.
Also, `which dig` to confirm that you are running the binary that you
think you are running.
> Also wanted to understand overall how do I debug any queries.
Something somewhere will give you diagnostically relevant data. You
need to find it and understand it. Even strace / dtrace on dig will be
helpful at times.
There's a possibility that there is a missing library and dig can't even
run. But that's unlikely -- but not impossible -- with dig installed
via standard repo commands.
--
Grant. . . .
More information about the bind-users
mailing list