why include an answer in the query?
Mark Andrews
Mark_Andrews at isc.org
Fri Apr 21 02:20:40 UTC 2006
> Hi,
>
> We have a local DNS server that uses the ISP's DNS server
> as a forwarder. Usually it is working fine. But recently
> we find that it can't resolve www.yahoo.com (but yahoo.com
> is OK), because the ISP's DNS server is not responding to
> the query on www.yahoo.com (but does respond to a queries
> on yahoo.com). However, using the "host" command to query
> the ISP's DNS server directly works fine for both domain
> names. So Yahoo is working and the ISP's DNS server is also
> working fine.
>
> Using tcpdump we find that if the query is for www.yahoo.com,
> our local DNS server will include an answer in the query
> to the ISP's DNS server (tcpdump shows the [1au] flag for
> the DNS packet), while for yahoo.com it won't:
>
> [root at cladmr003 root]# tcpdump -A -i eth2 port 53
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode listening on eth2, link-type EN10MB (Ethernet),
> capture size 96 bytes
> 14:54:55.723957 IP n8z108l98.broadband.ctm.net.1751 >
> macau.ctm.net.domain: 34796+ [1au] A? www.yahoo.akadns.net. (49)
>
> E..M.. at .@.5...lb.......5.9...............www.yahoo.akadns.net...
> ....)........
>
> Do you think it is this answer that is causing the ISP's DNS
> server to reject the query? If no, what else could be causing
> this behavior?
>
> Thanks!
Your ISP's firewall is blocking EDNS responses that are bigger
that 512 octets. If I increase the bufsize to 2048 I get no
response. The response that is dropped has 4 more A records
in the additional section (an additional 64 octets).
The [1au] is named telling your ISP's nameservers that it is
capable of receiving larger responses, see RFC 2671.
Note I can get a response bigger that 512 octets from the root
servers so this is not a local firewall issue.
Mark
; <<>> DiG 9.3.2 <<>> www.yahoo.akadns.net @macau.ctm.net +bufsize=512
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1713
;; flags: qr rd; QUERY: 1, ANSWER: 8, AUTHORITY: 11, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yahoo.akadns.net. IN A
;; ANSWER SECTION:
www.yahoo.akadns.net. 25 IN A 66.94.230.37
www.yahoo.akadns.net. 25 IN A 66.94.230.42
www.yahoo.akadns.net. 25 IN A 66.94.230.45
www.yahoo.akadns.net. 25 IN A 66.94.230.47
www.yahoo.akadns.net. 25 IN A 66.94.230.49
www.yahoo.akadns.net. 25 IN A 66.94.230.75
www.yahoo.akadns.net. 25 IN A 66.94.230.32
www.yahoo.akadns.net. 25 IN A 66.94.230.35
;; AUTHORITY SECTION:
akadns.net. 6883 IN NS eur7.akadns.net.
akadns.net. 6883 IN NS eur8.akadns.net.
akadns.net. 6883 IN NS usc4.akadns.net.
akadns.net. 6883 IN NS use1.akadns.net.
akadns.net. 6883 IN NS use9.akadns.net.
akadns.net. 6883 IN NS usw5.akadns.net.
akadns.net. 6883 IN NS usw6.akadns.net.
akadns.net. 6883 IN NS usw7.akadns.net.
akadns.net. 6883 IN NS asia4.akadns.net.
akadns.net. 6883 IN NS asia9.akadns.net.
akadns.net. 6883 IN NS eur4.akadns.net.
;; ADDITIONAL SECTION:
eur4.akadns.net. 7013 IN A 195.219.3.169
eur7.akadns.net. 7013 IN A 193.108.94.88
eur8.akadns.net. 7013 IN A 62.4.69.96
usc4.akadns.net. 7013 IN A 69.45.78.3
use1.akadns.net. 7013 IN A 67.72.17.134
use9.akadns.net. 7013 IN A 81.52.250.134
usw5.akadns.net. 7013 IN A 63.241.73.200
;; Query time: 211 msec
;; SERVER: 202.175.3.3#53(202.175.3.3)
;; WHEN: Fri Apr 21 12:05:20 2006
;; MSG SIZE rcvd: 500
; <<>> DiG 9.3.2 <<>> www.yahoo.akadns.net @a.root-servers.net +bufsize=2048
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61213
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yahoo.akadns.net. IN A
;; AUTHORITY SECTION:
net. 172800 IN NS A.GTLD-SERVERS.net.
net. 172800 IN NS G.GTLD-SERVERS.net.
net. 172800 IN NS H.GTLD-SERVERS.net.
net. 172800 IN NS C.GTLD-SERVERS.net.
net. 172800 IN NS I.GTLD-SERVERS.net.
net. 172800 IN NS B.GTLD-SERVERS.net.
net. 172800 IN NS D.GTLD-SERVERS.net.
net. 172800 IN NS L.GTLD-SERVERS.net.
net. 172800 IN NS F.GTLD-SERVERS.net.
net. 172800 IN NS J.GTLD-SERVERS.net.
net. 172800 IN NS K.GTLD-SERVERS.net.
net. 172800 IN NS E.GTLD-SERVERS.net.
net. 172800 IN NS M.GTLD-SERVERS.net.
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.net. 172800 IN AAAA 2001:503:a83e::2:30
A.GTLD-SERVERS.net. 172800 IN A 192.5.6.30
G.GTLD-SERVERS.net. 172800 IN A 192.42.93.30
H.GTLD-SERVERS.net. 172800 IN A 192.54.112.30
C.GTLD-SERVERS.net. 172800 IN A 192.26.92.30
I.GTLD-SERVERS.net. 172800 IN A 192.43.172.30
B.GTLD-SERVERS.net. 172800 IN AAAA 2001:503:231d::2:30
B.GTLD-SERVERS.net. 172800 IN A 192.33.14.30
D.GTLD-SERVERS.net. 172800 IN A 192.31.80.30
L.GTLD-SERVERS.net. 172800 IN A 192.41.162.30
F.GTLD-SERVERS.net. 172800 IN A 192.35.51.30
J.GTLD-SERVERS.net. 172800 IN A 192.48.79.30
K.GTLD-SERVERS.net. 172800 IN A 192.52.178.30
E.GTLD-SERVERS.net. 172800 IN A 192.12.94.30
M.GTLD-SERVERS.net. 172800 IN A 192.55.83.30
;; Query time: 652 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Apr 21 12:11:35 2006
;; MSG SIZE rcvd: 534
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list