Hello Still with problems. That setup was running fine for few years. Bind Server is on DMZ and doing NAT for the local net. Test Server is behing NAT
Must have another problem I try this days a lot of things and nothing works, think in try reinstall but i preferred to know what happened and solve it I increase logging and give some additional data but i not understand if is relevant. lots of : adb reached high water mark DNS_EVENT_ADBNOMOREADDRESSE network unreachable resolving 'play.google.com/A/IN': 216.239.36.10#53 timed out resolving 'google.com/A/IN': 1.1.1.1#53 (first unreacheable then timeout) 08-Jan-2022 00:14:21.588 expire_v4 set to MIN(2147483647,1641597271) import_rdataset 08-Jan-2022 00:14:21.588 dns_adb_createfind: found A for name m.root-servers.net (0x7f901a5e53a0) in db 08-Jan-2022 00:14:21.644 delete_node(): 0x7f901a73b450 static-assets-prod.s3.amazonaws.com (bucket 17) 08-Jan-2022 00:14:21.648 dns_adb_destroyfind on find 0x7f901a5eb110 08-Jan-2022 00:14:21.648 dns_adb_destroyfind on find 0x7f901a5eef10 08-Jan-2022 00:23:40.915 dispatch 0x7f901435e1f0 response 0x7f901a355ca8 198.97.190.53#53: attached to task 0x7f901a81f5f8 08-Jan-2022 00:23:41.023 dispatch 0x7f901435e1f0 response 0x7f901a355ca8 198.97.190.53#53: detaching from task 0x7f901a81f5f8 08-Jan-2022 00:23:41.023 dispatch 0x7f901435e1f0: detach: refcount 2 08-Jan-2022 00:23:41.039 dispatchmgr 0x7f901e3451c8: destroy_mgr_ok: shuttingdown=1, listnonempty=1, depool=7, rpool=0, dpool=7 08-Jan-2022 00:23:41.039 dispatch 0x7f901435caf0: shutting down; detaching from sock (nil), task 0x7f901a626880 08-Jan-2022 00:22:31.479 view internal: validating mmx-ds.cdn.whatsapp.net/A: starting 08-Jan-2022 00:22:31.479 view internal: validating mmx-ds.cdn.whatsapp.net/A: attempting insecurity proof 08-Jan-2022 00:22:31.479 view internal: validating mmx-ds.cdn.whatsapp.net/A: checking existence of DS at 'net' 08-Jan-2022 00:22:31.479 view internal: validating mmx-ds.cdn.whatsapp.net/A: checking existence of DS at 'whatsapp.net' 08-Jan-2022 00:22:31.479 view internal: validating mmx-ds.cdn.whatsapp.net/A: marking as answer (proveunsecure (4)) 08-Jan-2022 00:22:31.479 view internal: validator @0x7f9004034a70: dns_validator_destroy Some: success/success [domain:ifconfig.me ,referral:0,restart:1,qrysent:1,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] timed out resolving 'android.l.google.com/A/IN': 1.1.1.1#53 broken trust chain resolving '_.clients6.google.com/A/IN': 216.239.34.10#53 And the tiemout error: timed out/success [domain:google.com ,referral:0,restart:4,qrysent:13,timeout:12,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] thanks ps: sorry list for wrong subject On Wed, Jan 12, 2022 at 1:15 PM Tony Finch <d...@dotat.at> wrote: > Diego Garcia <diegar...@gmail.com> wrote: > > > > Each 20/30 minutes and lasting about 5 minutes i got 'timeout' in bind > > querys. After that time everything works fine again. > > > > My bind server got response (from 0.1 to 2 seconds) but reply with a ICMP > > 'port unreachable'. > > > > Any idea the problem or what i can check? > > > > Firewall is off while testing. > > > > My bind server is a NAT router. > > It sounds like the NAT is interfering with BIND's resolver. In general, > NAT (as well as stateful firewalls) do not work well with the DNS, because > UDP port randomization uses a lot of (mostly useless) connection-tracking > state. So it's best to put a full service resolver outside a NAT if > possible. > > In your case, I guess there are several possible IP addresses that BIND > can use as the query source address. Try setting the query-source option > in named.conf to an IP address that's outside the NAT. You will need to > use tcpdump to verify that the right packets with the right addresses are > appearing on the wire. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> https://dotat.at/ > Portland, Plymouth: Northeast, veering east or southeast, 3 or 4. > Slight or moderate, occasionally rough at first in Plymouth. Fog > patches at first in south. Moderate or good, occasionally very poor at > first in south. > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users