Dear Stan,
Dans sa grande sagesse, Sten Carlsen a écrit, le 02/03/2010 18:43 :
Hi
Seen from here, I get a fast response to dig "labanquepostale.fr".
When you query your own servers?
I get a fast response from isis.imag.fr and imag.imag.fr; it's only
brahma.imag.fr and cosmos.imag.fr who time out.
Using your servers 1 - 4 shows only that they do not answer recursive
queries, that is diferent from my first try but a good change.
They only allow recursive queries for clients on our networks. We don't
have open recursive servers so that's normal.
To have good resolution a nameserver must have access via:
UDP from any local port to remote port 53, it must have the possibility
to use EDNS0 -> packet size over 512bytes
TCP from any local port to remote port 53.
OK, thank you for those important technical precisions. It might indeed
be a network problem on our side.
Being able to telnet only shows TCP connectivity and only from the port
actually used when trying. UDP is the normal mode of communication.
True, telnet to port 53 is a necessary but not a sufficient condition to
guarantee there is no network problem involved.
A firewall could block any of the above access routes -> if TCP is open,
you can telnet but it might still block UDP.
Then examples of bad firewall designs have been seen that would modify
packets during transit or truncate them. So there are lots of
possibilities that a firewall can still interfere.
OK, thank you for all these indications. I'll investigate our network
setup in order to ensure that's all OK.
Best regards,
Oliver
Oliver Henriot wrote:
Dear Sten,
I didn't give the domain I'm encountering problems with because it
seemed irrelevant to me.
As Stéphane Bortzmeyer says in his message of 01/03/10 11:44, it's
best to give names, so here goes :
x.fr is labanquepostale.fr
"1" is imag.imag.fr
"2" is brahma.imag.fr
"3" is isis.imag.fr
"4" is cosmos.imag.fr
As to a possible firewall problem, how could this be if the servers
encountering problems don't have any access problems on TCP port 53?
Thanks.
Oliver
Dans sa grande sagesse, Sten Carlsen a écrit, le 27/02/10 19:06 :
Since you don't tell which domain is the problem and at least I get
perfect answers for imag.fr (my only possible guess) from all listed
servers, I can have no clue.
Best guess is still some firewall doing something stupid.
Oliver Henriot wrote:
Dear list users,
Maybe you can help me out here. Please bear with me if I'm stating the
obvious, but my computing skills are scarce and I still have a lot to
learn.
I have a series of name servers, some of which fail to resolve hosts
in other domains whereas others don't have any problem.
My setup is as follows :
- server "1" : master for my domain, recursion disabled for all except
localhost. Setup is BIND 9.5.1-P2 on SunOS 5.9.
- servers "2", "3" and "4" : slaves for my domain, recusrion allowed
for all, official resolvers for my clients, same configuration on all
3. Setup is DiG 9.3.6-P1 on CentOS 5.4.
Servers "2" and "4" fail to resolve domain x.fr whereas "1" and "3"
have no problem (if interrogated locally for "1" of course). The error
I get is :
dig -t A @"2" www.x.fr
;<<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2<<>> -t A @"2" www.x.fr
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.x.fr. IN A
;; Query time: 4622 msec
;; SERVER: "2"#53("2")
;; WHEN: Sat Feb 27 18:20:07 2010
;; MSG SIZE rcvd: 40
The behavior is the same for "4" and for any host in domain x.fr (and
the domain itself).
It's not a network problem, I can telnet on port 53 of the name
servers for domain x.fr from "2" (obviously using the ip address as
the name can't be resolved by the server).
Also, reverse queries for hosts in domain x.fr from "2" do not fail.
Finally, even more strange, if I use dig's +trace option servers "2"
and "4" do not fail any more and can resolve www.x.fr (although the
query lags quite a bit when doing the last bit of resolving, from x.fr
to www.x.fr).
Here's the output :
dig www.x.fr @"2" +trace
;<<>> DiG 9.5.1-P3<<>> www.x.fr @"2" +trace
;; global options: printcmd
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
;; Received 500 bytes from "2"#53("2") in 2 ms
fr. 172800 IN NS E.EXT.NIC.fr.
fr. 172800 IN NS B.EXT.NIC.fr.
fr. 172800 IN NS F.EXT.NIC.fr.
fr. 172800 IN NS A.NIC.fr.
fr. 172800 IN NS C.NIC.fr.
fr. 172800 IN NS G.EXT.NIC.fr.
fr. 172800 IN NS D.NIC.fr.
fr. 172800 IN NS D.EXT.NIC.fr.
;; Received 444 bytes from 192.58.128.30#53(J.ROOT-SERVERS.NET) in
44 ms
x.fr. 172800 IN NS ns1.x.fr.
x.fr. 172800 IN NS ns2.x.fr.
;; Received 108 bytes from 193.176.144.6#53(E.EXT.NIC.fr) in 33 ms
www.x.fr. 300 IN A xxx.xxx.xxx.xxx
x.fr. 300 IN NS ns2.x.fr.
x.fr. 300 IN NS ns1.x.fr.
;; Received 124 bytes from xxx.xxx.xxx.xxx#53(ns1.x.fr) in 0 ms
I'm at a loss as to what's going on (or wrong) here and what I can to
do to solve the problem. Any help would be greatly appreciated.
Thanks in advance.
Oliver
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
