Client cannot resolve communities.intel.com
Mark Andrews
marka at isc.org
Tue Jul 5 03:56:11 UTC 2011
In message <d4cab5be198fc64c3c372271709f4b83 at prod.iotk.net>, vr writes:
> Hello,
>
> I am trying to visit "http://communities.intel.com" using Iceweasel on
> a Debian desktop PC. No proxies.
>
> My clients etc/resolv.conf point to my own Debian BIND 9.7.3 installed
> on a separate server and installed from distribution packages (bind9
> 1:9.7.3.dfsg-1~squeeze2).
>
> From myDesktop, NSLOOKUP fails but DIG shows a CNAME record. I see the
> same results from the BIND server so I've included just the output from
> myDesktop below. Also included below is my named.conf.
The answers are consistent. Nslookup searches and doesn't stop on
NODATA and it doesn't cope with a CNAME + referral response which
it interprets as a NODATA response.
> Do I have something obvious in BIND screwed up? Or is my client/browser
> broken? Or...?
Your allow-recursion acl is not broad enough.
> ----------------------------------------------------------
>
> me at myDesktop:~$ nslookup communities.intel.com ns.iotk.net
> Server: ns.iotk.net
> Address: 99.30.25.1#53
>
> ** server can't find communities.intel.com: NXDOMAIN
>
> ----------------------------------------------------------
>
> me at myDesktop:~$ dig communities.intel.com ns.iotk.net
Please learn how to drive dig. You wanted to do:
dig communities.intel.com @ns.iotk.net
> ; <<>> DiG 9.6-ESV-R3 <<>> communities.intel.com ns.iotk.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7908
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
The resolver is pointing at a nameserver that doesn't offer recursion
to this client (no "ra" in the flags section).
> ;; QUESTION SECTION:
> ;communities.intel.com. IN A
>
> ;; ANSWER SECTION:
> communities.intel.com. 207 IN CNAME intel-2.hs.llnwd.net.
>
> ;; AUTHORITY SECTION:
> llnwd.net. 604800 IN SOA localhost.
> root.localhost. 2008071301 604800 86400 2419200 604800
>
> ;; Query time: 2 msec
> ;; SERVER: 99.30.25.1#53(99.30.25.1)
> ;; WHEN: Mon Jul 4 22:51:42 2011
> ;; MSG SIZE rcvd: 123
>
> named.conf on 99.30.25.1
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> acl "iotk" {
> 127.0.0.1; // localhost
> 99.30.25.0/29; // static range
> !192.168.0.254; // not the router
> 192.168.0.0/24; // internal network
> 10.10.10.0/8; // backup network
> };
>
> options {
> directory "/etc/bind/";
> listen-on { 99.30.25.1; };
> allow-recursion { iotk; }; // ddos
> prevention
> interface-interval 0; // no dynamic
> ifaces
> // allow-query { iotk; }; // this limits
> ALL zones
> allow-transfer { iotk; }; // this limits
> ALL zones
> transfer-format many-answers; // faster
> transfers
> version "DNS Server"; // hides BIND
> version
> statistics-file "/var/log/bind/stats.log";
> auth-nxdomain yes;
> };
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list