The noaa.gov name servers also have ipv6 addresses but I don't get a reply from that address.
You may want to trace whether your name server is using that address when you see the problem. On 18/09/2017 17:17, Levesque, Ricky (SNB) wrote: > Thanks Warren, > I can query all the noaa.gov name servers without issues, and the replies are > fast (sub 100ms) > > -----Original Message----- > From: Warren Kumari [mailto:war...@kumari.net] > Sent: September 18, 2017 12:06 PM > To: Levesque, Ricky (SNB) <ricky.leves...@snb.ca> > Cc: John Miller <johnm...@brandeis.edu>; bind-users@lists.isc.org > Subject: Re: NOAA.GOV domain not working > > On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB) > <ricky.leves...@snb.ca> wrote: >> Thank you for your reply, >> When I notice too many failed queries from this domain name >> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc >> reload), seems to allow queries to work. But still latent (in the >> 3500ms range) >> >> This is what I get from a DIG +trace... the connection times out every time. >> #dig +trace www.nhc.noaa.gov >> >> But if I try another domain, example: "cisco.com" it completes >> properly #dig +trace cisco.com >> >> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers >> (8.8.8.8) and the query seems to time out as well. >> # dig +trace www.nhc.noaa.gov @8.8.8.8 >> >> >> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP* >> +trace ;; global options: +cmd >> . 434277 IN NS e.root-servers.net. >> . 434277 IN NS d.root-servers.net. >> . 434277 IN NS f.root-servers.net. >> . 434277 IN NS a.root-servers.net. >> . 434277 IN NS i.root-servers.net. >> . 434277 IN NS h.root-servers.net. >> . 434277 IN NS g.root-servers.net. >> . 434277 IN NS l.root-servers.net. >> . 434277 IN NS b.root-servers.net. >> . 434277 IN NS k.root-servers.net. >> . 434277 IN NS j.root-servers.net. >> . 434277 IN NS c.root-servers.net. >> . 434277 IN NS m.root-servers.net. >> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed >> DNS-SRV-IP*) in 4 ms >> >> gov. 172800 IN NS a.gov-servers.net. >> gov. 172800 IN NS b.gov-servers.net. >> gov. 172800 IN NS c.gov-servers.net. >> gov. 172800 IN NS d.gov-servers.net. >> gov. 86400 IN DS 7698 8 1 >> 6F109B46A80CEA9613DC86D5A3E065520505AAFE >> gov. 86400 IN DS 7698 8 2 >> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0 >> gov. 86400 IN RRSIG DS 8 1 86400 20171001050000 >> 20170918040000 15768 . >> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg >> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ >> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG >> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ >> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo >> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA== >> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 >> ms >> >> noaa.gov. 86400 IN NS ns-e.noaa.gov. >> noaa.gov. 86400 IN NS ns-mw.noaa.gov. >> noaa.gov. 86400 IN NS ns-nw.noaa.gov. >> noaa.gov. 3600 IN DS 13774 5 1 >> 4823D2F9C36F98D586ECCD779731F813218BD875 >> noaa.gov. 3600 IN DS 13774 5 2 >> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63 >> noaa.gov. 3600 IN RRSIG DS 8 2 3600 20170925101007 >> 20170918101007 21428 gov. >> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 >> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 >> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs= >> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms >> >> ;; connection timed out; no servers could be reached >> > Huh. Weird. > > Try: > dig www.nhc.noaa.gov @ns-e.noaa.gov. > dig www.nhc.noaa.gov @ns-mw.noaa.gov. > dig www.nhc.noaa.gov @ns-nw.noaa.gov. > > and: > dig -4 www.nhc.noaa.gov @ns-e.noaa.gov. > dig -4 www.nhc.noaa.gov @ns-mw.noaa.gov. > dig -4 www.nhc.noaa.gov @ns-nw.noaa.gov. > > and > dig +tcp www.nhc.noaa.gov @ns-e.noaa.gov. > dig +tcp www.nhc.noaa.gov @ns-mw.noaa.gov. > dig +tcp www.nhc.noaa.gov @ns-nw.noaa.gov. > > > and also: > traceroute ns-e.noaa.gov. > traceroute ns-mw.noaa.gov. > traceroute ns-nw.noaa.gov. > > > What address range are you coming from? It sounds like you cannot reach the > noaa.gov nameservers (or they cannot reach you!) > > W > >> >> -----Original Message----- >> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf >> Of John Miller >> Sent: September 18, 2017 11:03 AM >> Cc: bind-users@lists.isc.org >> Subject: Re: NOAA.GOV domain not working >> >> Hi Ricky, >> >> Try running a "dig +trace www.nhc.noaa.gov," then query each record in the >> chain and see which one's slow to respond. I don't see anything crazy in >> your named.conf. Something you didn't mention: does clearing cache make a >> difference? >> >> John >> -- >> John Miller >> Systems Engineer >> Brandeis University >> johnm...@brandeis.edu >> >> >> On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB) >> <ricky.leves...@snb.ca> wrote: >>> Good day, >>> >>> I’ve been having an interesting issue with BIND and wondering if >>> anyone has had this before or knows how to fix it. >>> >>> >>> >>> The issue is, >>> >>> I have 2 recursive/caching DNS servers running BIND >>> 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this >>> particular domain. >>> >>> Noaa.gov (as well as its sub domains. Specifically – www.nhc.noaa.gov >>> ) >>> >>> By slow I mean, it takes approximately 3500ms to query while most >>> other domains take less than 100ms to query. >>> >>> What’s worst, the domains (noaa.gov) becomes unqueriable after a few >>> hours or a day and I need to clear the DNS servers cache to allow it >>> to work again. >>> >>> >>> >>> The domains have very very low TTL’s (30s) and use DNSsec >>> >>> >>> >>> Error: >>> >>> ##dig www.nhc.noaa.gov >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 7 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;www.nhc.noaa.gov. IN A >>> >>> >>> >>> >>> >>> Fixes I have attempted so far: >>> >>> Reboot servers (2 centos servers running on vmware) >>> >>> Update system >>> >>> Try a default config file >>> >>> Updated vmware tools >>> >>> Clear DNS cache (temporary fix) >>> >>> Checked firewall for abnormal data >>> >>> Updated root hints >>> >>> >>> >>> Config: >>> >>> >>> >>> acl internal { >>> >>> *removed*; >>> >>> localhost; >>> >>> }; >>> >>> >>> >>> options { >>> >>> listen-on port 53 { *removed*; >>> >>> 127.0.0.1; >>> >>> ; >>> >>> }; >>> >>> listen-on-v6 port 53 { none; >>> >>> #::1; >>> >>> }; >>> >>> directory "/var/named"; >>> >>> dump-file "/var/named/data/cache_dump.db"; >>> >>> statistics-file "/var/named/data/named_stats.txt"; >>> >>> memstatistics-file "/var/named/data/named_mem_stats.txt"; >>> >>> >>> >>> dnssec-enable no; >>> >>> dnssec-validation no; >>> >>> dnssec-lookaside auto; >>> >>> >>> >>> // Conform to RFC1035 >>> >>> auth-nxdomain no; >>> >>> >>> >>> // Allowed Port Ranges >>> >>> use-v4-udp-ports { range 32768 65535; }; >>> >>> use-v6-udp-ports { range 32768 65535; }; >>> >>> recursive-clients 15000; >>> >>> server-id none; >>> >>> version none; >>> >>> interface-interval 0; >>> >>> allow-query { internal; >>> >>> }; >>> >>> allow-recursion { internal; >>> >>> }; >>> >>> max-ncache-ttl 3600; >>> >>> allow-query-cache { internal; >>> >>> }; >>> >>> }; >>> >>> >>> >>> logging { >>> >>> channel default_debug { >>> >>> syslog local4; >>> >>> severity debug; >>> >>> }; >>> >>> }; >>> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > > -- > I don't think the execution is relevant when it was obviously a bad idea in > the first place. > This is like putting rabid weasels in your pants, and later expressing regret > at having chosen those particular rabid weasels and that pair of pants. > ---maf > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users