problem with resolving SOME EXTERNAL domains
Ronan Flood
ronan at noc.ulcc.ac.uk
Mon Jun 13 15:26:56 UTC 2005
<enesz at bih.net.ba> wrote:
> After flushing DNS cache with rndc flush, i tried to resolve with IP
> adresses of navy.mil DNS servers, like this:
Your local cache should have no affect on these tests, but no matter.
> # ./dig @138.180.5.138 usno.navy.mil. a +norec
> # ./dig @205.56.138.34 usno.navy.mil. a +norec
> # ./dig @205.56.150.18 usno.navy.mil. a +norec
> # ./dig @138.143.200.2 usno.navy.mil. a +norec
> # ./dig @192.245.206.2 usno.navy.mil. a +norec
[snip all timing out]
> As you can see, NOTHING again.
>
> Is this a network problem, or..?
> Possible network problems on communication with root DNS servers?
Nothing to do with the root servers, as you are contacting the
navy.mil servers directly by IP address. Might be a network problem.
Can you try those tests again over TCP:
dig @138.180.5.138 usno.navy.mil. a +norec +vc
and the same for the others.
How far does a traceroute get? Here are the first two from here
% traceroute -n 138.180.5.138
traceroute to 138.180.5.138 (138.180.5.138), 30 hops max, 40 byte packets
1 128.86.16.1 0.687 ms 0.373 ms 0.360 ms
2 128.86.1.43 0.377 ms 0.293 ms 0.290 ms
3 146.97.35.5 0.630 ms 0.555 ms 0.551 ms
4 146.97.33.34 0.947 ms 0.898 ms 0.883 ms
5 146.97.35.226 0.939 ms 0.843 ms 0.866 ms
6 213.206.159.101 0.946 ms 1.028 ms 0.932 ms
7 213.206.128.97 1.205 ms 1.197 ms 1.231 ms
8 213.206.129.70 8.406 ms 8.344 ms 8.356 ms
9 213.206.129.79 25.735 ms 25.657 ms 25.620 ms
10 217.147.128.34 26.438 ms 26.444 ms 26.414 ms
11 217.147.128.41 26.161 ms 26.188 ms 26.282 ms
12 217.147.143.62 46.817 ms 46.692 ms 46.598 ms
13 140.35.3.53 46.751 ms 47.162 ms 46.618 ms
14 198.26.146.58 47.393 ms 47.236 ms 46.975 ms
15 * * *
% traceroute -n 205.56.138.34
traceroute to 205.56.138.34 (205.56.138.34), 30 hops max, 40 byte packets
1 128.86.16.1 0.814 ms 0.442 ms 0.400 ms
2 193.63.94.43 0.407 ms 0.307 ms 0.312 ms
3 146.97.35.5 0.641 ms 0.578 ms 0.568 ms
4 146.97.33.34 0.947 ms 0.927 ms 0.896 ms
5 146.97.35.222 1.004 ms 0.876 ms 0.873 ms
6 213.206.159.101 0.957 ms 0.957 ms 0.929 ms
7 213.206.128.104 1.041 ms 0.947 ms 0.968 ms
8 144.232.9.163 68.234 ms 68.266 ms 143.397 ms
9 144.232.7.106 68.304 ms 68.340 ms 68.395 ms
10 144.232.7.101 68.480 ms 68.258 ms 68.435 ms
11 205.171.1.133 68.129 ms 68.016 ms 68.108 ms
12 205.171.17.69 68.907 ms 68.895 ms 68.935 ms
13 205.171.8.181 83.841 ms 124.754 ms 83.761 ms
14 198.26.99.81 88.764 ms 88.964 ms 88.845 ms
15 33.99.200.2 88.888 ms 89.186 ms 88.958 ms
16 198.25.101.2 116.434 ms 93.305 ms 121.770 ms
17 * * *
I believe the target nameserver is the next hop (15 and 17) in
each case, as a tcptraceroute to port 53 on them indicates that.
> P.S I already sent my named.conf
Yes, I had no relevant comment to make on that.
You probably do not want "query-source address * port 53" unless
you have some definite reason for needing it, and you should
use "allow-recursion" or similar to limit access to your resolver.
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list