RE: Regarding EDNS Responses.
In message <001501ca5785$257c7220$21011...@china.huawei.com>, Ashwin writes: > > Hi All, > > RFC 2671 mentions in Section 5.3 > > Responders who do not understand these protocol extensions are > expected to send a response with RCODE NOTIMPL, FORMERR, or > SERVFAIL. > > However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are > shared, so how do we ascertain that the error code returned is an indication > that a particular server is non-EDNS, since the error might be returned due > to some other reason also. > > So essentially my query is how do we decide that a particular server is EDNS > or not? Can it be assumed that each time the above three error codes are > returned , it signifies that the DNS server is not EDNS capable? Hi Mark, >> You assume it is EDNS if it is in response to a EDNS query and retry >> w/o EDNS. It the problem is EDNS the plain DNS query will succeed. >> If it is not EDNS the plain EDNS query will fail. Thanks for you response. I have a doubt though. I send out an EDNS query, for the response the following possibilities a) Success, with OPT RR, I assume server is EDNS capable b) Failure with RCODE NOTIMPL, FORMERR, or SERVFAIL with or without OPT RR. In b) I do not know whether server is EDNS or not, since server might return NOTIMPL & SERVFAIL error codes for some other reason also. If I consider the case that retry with plain DNS query is success and assume EDNS was problem, I think maybe its not correct because SERVFAIL might happen for some other reason at the time EDNS query is sent, but that error is resolved by the time the plain DNS query is sent. So even though server is EDNS i would assume it is non-EDNS. The idea is to identify whether a server supports EDNS through a first query, and then subsequent requests we send based on this identification. One could call it a pseudo-caching of the EDNS feature for servers. I hope I made myself clear :( > Regards > > Ashwin -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding EDNS Responses.
It's not a perfect world. Even getting back a EDNS response does not indicate that the server understands EDNS. In message <002301ca579c$56deb0f0$21011...@china.huawei.com>, Ashwin writes: > > In message <001501ca5785$257c7220$21011...@china.huawei.com>, Ashwin writes: > > > > Hi All, > > > > RFC 2671 mentions in Section 5.3 > > > > Responders who do not understand these protocol extensions are > > expected to send a response with RCODE NOTIMPL, FORMERR, or > > SERVFAIL. > > > > However the above mentioned error codes are shared [SERVFAIL, NOTIMPL] are > > shared, so how do we ascertain that the error code returned is an > indication > > that a particular server is non-EDNS, since the error might be returned > due > > to some other reason also. > > > > So essentially my query is how do we decide that a particular server is > EDNS > > or not? Can it be assumed that each time the above three error codes are > > returned , it signifies that the DNS server is not EDNS capable? > > > Hi Mark, > >> You assume it is EDNS if it is in response to a EDNS query and retry > >> w/o EDNS. It the problem is EDNS the plain DNS query will succeed. > >> If it is not EDNS the plain EDNS query will fail. > > Thanks for you response. I have a doubt though. > > I send out an EDNS query, for the response the following possibilities > a) Success, with OPT RR, I assume server is EDNS capable > b) Failure with RCODE NOTIMPL, FORMERR, or SERVFAIL with or without > OPT RR. > > In b) I do not know whether server is EDNS or not, since server might return > NOTIMPL & SERVFAIL error codes for some other reason also. If I consider the > case that retry with plain DNS query is success and assume EDNS was problem, > I think maybe its not correct because SERVFAIL might happen for some other > reason at the time EDNS query is sent, but that error is resolved by the > time the plain DNS query is sent. So even though server is EDNS i would > assume it is non-EDNS. > > The idea is to identify whether a server supports EDNS through a first > query, and then subsequent requests we send based on this identification. > One could call it a pseudo-caching of the EDNS feature for servers. > > I hope I made myself clear :( > > > Regards > > > > Ashwin > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 2 simultaneous hung Bind boxes
Hi! On some of our (linux based) DNS server's the BIND just hangs; the combination was fairly old hardware and fairly new OS/BIND. Couldn't figure it out either until I came up with https://www.isc.org/node/302. At least you could try it, I found no harm on setting the /proc/sys/net/core/xfrm_larval_drop to 1 just to be on the safe side... -- Tommi Nikkilä System Specialist -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Justin Shore Sent: 28. lokakuuta 2009 7:30 To: bind-users@lists.isc.org Subject: 2 simultaneous hung Bind boxes I got a call from a remote tech earlier this evening. He was at home on our service and couldn't get on the Internet. His IP connectivity was fine and could hit my NOC website via IP only. DNS however was hosed. About the time I got in a position to check the bind logs and sniff his traffic the problem went away. We chocked it up to a local problem until a few minutes later across the SP network I too experienced the same thing. My DNS requests simply timed out. I turned on querylog on our boxes and could see what appeared to be successful hits and replies. The boxes were just not replying to queries. Traffic on our main upstream dropped by about 90% within a few short minutes (users' DNS stopped and outbound usage ground to a halt basically). Not knowing what else to try I restart bind on both NSs. That fixed it. The boxes are running fairly old Bind code, 9.5.1b2. Tomorrow I will upgrade to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use). My question is are there any known ways for a crafted query or crafted reply to cause what I've described on that old release of Bind? I recall hearing about assorted things over the past couple of years though I thought that they were things that would cause actual crashing, not the mentally hosing my boxes appeared to take this evening. Does anything else come to mind? The views on the servers only permit recursive lookups internally from our customer prefixes. Externally you can only get responses for things that we have authority over. Thoughts? Thanks Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reasons for not resolving
Hello, There are few websites that our DNS (BIND 9.4.2 on CentOS 5) is not resolving while others like 4.2.2.2 does, I wonder what could be the reasons for this? Regards, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Reasons for not resolving
I looked more and I figure out that we can't ping or browse any of these hosts http://www.ip-adress.com/reverse_ip/96.31.75.113 (they all are on one IP) it's confusing because when I search in google for host names it appears in the result which means it's not down fir everyone!! Any ideas? Kind regards, Alans From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alans Sent: Wednesday, October 28, 2009 10:47 AM To: bind-users@lists.isc.org Subject: Reasons for not resolving Hello, There are few websites that our DNS (BIND 9.4.2 on CentOS 5) is not resolving while others like 4.2.2.2 does, I wonder what could be the reasons for this? Regards, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reverse DNS & slave server
Just simple question. I'm setting up slave dns server, my question, is do I need to transfer Reverse zone too ? or just domain zone is enough? thank you for any help ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 simultaneous hung Bind boxes
Justin Shore wrote: > The boxes are running fairly old Bind code, 9.5.1b2. Tomorrow I will > upgrade to 9.6.1rc1 (unless people believe 9.7.0b1 is ready for use). I would recommend not using beta or release candidate code in your deployment. If you want something that will stand up to customer needs (and not cause your pager to go off and oh-dark-thirty), try 9.6.1-P1. For further information on naming, take a look at: https://www.isc.org/software/bind/versions AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
On Tue, Oct 20, 2009 at 08:29:20PM +, Evan Hunt wrote a message of 836 lines which said: >BIND 9.7.0b1 is now available. Apparently, support for the new algorithms RSASHA256 and RSASHA512 is not included? Is it planned for 9.7 or shall I wait 9.8? % bind/bin/dnssec/dnssec-keygen -a RSASHA256 -b 2048 -r /dev/urandom example.net dnssec-keygen: fatal: unknown algorithm RSASHA256 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 simultaneous hung Bind boxes
Nikkilä wrote: Hi! On some of our (linux based) DNS server's the BIND just hangs; the combination was fairly old hardware and fairly new OS/BIND. Couldn't figure it out either until I came up with https://www.isc.org/node/302. At least you could try it, I found no harm on setting the /proc/sys/net/core/xfrm_larval_drop to 1 just to be on the safe side... Tommi, Thanks for the reply. The boxes are fairly old Dells (1650s) running FC5. I'm rebuilding them in 2010. I'll take a look at that doc and see. These servers have generally been rock solid. The only problem I've had is with my split view configuration when I update a zone on the master. The zone is copied to the slave but only 1 view on each box gets the updated zone. I have to restart the named process to make it re-read the local copy of the zone to get both views on the same serial. But I've never had any stability issues to date. I'll upgrade to 9.6 too just to be safe. Thanks Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
> Apparently, support for the new algorithms RSASHA256 and RSASHA512 is > not included? Is it planned for 9.7 or shall I wait 9.8? That will be in 9.7.0b2. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
On Oct 28 2009, Evan Hunt wrote: Apparently, support for the new algorithms RSASHA256 and RSASHA512 is not included? Is it planned for 9.7 or shall I wait 9.8? That will be in 9.7.0b2. You aren't going to wait for the RFC? - it doesn't seem to be out yet. Or maybe you are predicting that it will be out before 9.7.0b2 is... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
On Wed, Oct 28, 2009 at 03:17:54PM +, Chris Thompson wrote a message of 13 lines which said: > You aren't going to wait for the RFC? It is in AUTH48 (the last step before publication, theoretically meaning that the people involved have 48 h to make remarks). After all, ldns already has it :-) % ldns-keygen -a RSASHA256 vachement-secure.example Kvachement-secure.example.+008+23094 % cat Kvachement-secure.example.+008+23094.key vachement-secure.example. 3600IN DNSKEY 256 3 8 \ AwEAAc87fkhQ3RehZ9AWUtataphm6Ku+DLKgtUPp/Zi0mwhtDN36oWBhzUt5a82Zeat4zsbC6W jIDWWqOx33cWh3ISMKDK0cOu1kMRCZTXS98WoSA0TgfMBdGdaK/Z+yLX+COq8HL72gBDG/RuDqIOwdtC BhbDluIwafzPAw3l2rIEiR \ ;{id = 23094 (zsk), size = 1024b} ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New BIND server
Hello BIND users, I have setup a new Ubuntu 9.04 server with BIND9. I have looked at a few tutorial and how tos like this one: https://help.ubuntu.com/community/BIND9ServerHowto but would like to get your tips and tricks to secure your BIND servers before putting it into production. Thanks, Neosys ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New BIND server
On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil wrote: > but would like to get your tips and tricks to secure your BIND servers > before putting it into production. A little vague here. You haven't defined what your intentions are. Is this an authoritative only server for zones? Recursive server for clients? Other questions I can't think of at the moment? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: New BIND server
Yes sorry, This DNS server is only to resolve our local hosted domain names - authoritative only server - WITH no recursion -Original Message- From: Rick Dicaire [mailto:kri...@gmail.com] Sent: 28 octobre 2009 12:01 To: martin.dubre...@neosynergix.com Cc: bind-users@lists.isc.org Subject: Re: New BIND server On Wed, Oct 28, 2009 at 11:27 AM, NéoSynergix | Martin Dubreuil wrote: > but would like to get your tips and tricks to secure your BIND servers > before putting it into production. A little vague here. You haven't defined what your intentions are. Is this an authoritative only server for zones? Recursive server for clients? Other questions I can't think of at the moment? -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reasons for not resolving
Alans, Why would you use Google to determine whether a web site is up or not? It's not even clear to me that you're having a DNS problem. It's rather bad practice to have lots of reverse-records in the DNS for a given address (e.g. 96.31.75.113), and can even cause problems with oversized responses to reverse lookups being dropped by firewalls, but it shouldn't cause any *forward* (name-to-address) lookups to fail. Can you resolve a name like yarnandwaste.com or can't you? Please follow normal diagnostic procedures and try to determine what actual problem you are having. "Can't ping or browse" is only the start of the diagnostic process, and might not be caused by DNS at all. Once you've determined that you can't resolve a particular name, then something you might try is a "dig +trace" on the name, from your nameserver. That will show you the sequence of queries that will be followed by a resolver to try and resolve the name, and might help pinpoint the source of the problem. It will not, however, exactly match what your nameserver is doing unless you have a completely "vanilla", iterative-resolving configuration (i.e. Internet root hints and nothing else). If you have other elements of your config that affect resolution, e.g. zones of type stub/forward/master/slave anywhere in the hierarchy of the name you're looking up, or "forwarders" in your "options" clause, then "dig +trace" won't know about those "specials" and can't match exactly what your nameserver would do. Also, it's possible that your nameserver has cached data that might cause it to resolve differently than "dig +trace", which always starts with no cache at all. - Kevin Alans wrote: I looked more and I figure out that we can’t ping or browse any of these hosts http://www.ip-adress.com/reverse_ip/96.31.75.113 (they all are on one IP) it’s confusing because when I search in google for host names it appears in the result which means it’s not down fir everyone!! Any ideas? Kind regards, Alans *From:* bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Alans *Sent:* Wednesday, October 28, 2009 10:47 AM *To:* bind-users@lists.isc.org *Subject:* Reasons for not resolving Hello, There are few websites that our DNS (BIND 9.4.2 on CentOS 5) is not resolving while others like 4.2.2.2 does, I wonder what could be the reasons for this? Regards, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse DNS & slave server
アルベルト wrote: Just simple question. I'm setting up slave dns server, my question, is do I need to transfer Reverse zone too ? or just domain zone is enough? Sort of impossible to answer, without more information. Why did you set up a slave server in the first place? Redundancy? Performance? Because it was required by your registrar? Some or all of those same reasons might apply to the reverse zone as well. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New BIND server
On 28.10.09 11:27, NéoSynergix | Martin Dubreuil wrote: > I have setup a new Ubuntu 9.04 server with BIND9. > > but would like to get your tips and tricks to secure your BIND servers > before putting it into production. What do you mean secure? Default installation should not allowanything that might be unsecure. Only take care about allow-recursion setting if you plan to use it as recursive (if not, "recursion no" should be in the config)) and that should be enough for now. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: New BIND server
> > > > > > > > > > > > > > > > > Hello BIND users, I have setup a new Ubuntu 9.04 server with BIND9. I have looked at a few tutorial and how to's like this one: https://help.ubuntu.com/community/BIND9ServerHowto but would like to get your tips and tricks to secure your BIND servers before putting it into production. Thanks, Neosys Aside from standard OS level hardening that should have already been done, I would recommend looking over the following: http://www.cymru.com/Documents/secure-bind-template.html Thanks... Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New BIND server
Yeah, look it over, but take the zone-transfer restrictions and version-obfuscation stuff with a bit of a grain of salt. Those parts are a little too PHSCSE (Pointy-Haired So-Called Security Expert)-ish for my tastes, verging on Theater. At least they finally got rid of the "bogon" stuff. Chroot and unprivileged, on the other hand, are _de_rigeur_ for anything facing the Internet directly, as is view separation (or, to be more hardcore, process-instance/listen-on or machine separation) between recursive-resolver and non-recursive/authoritative roles. If you're slaving, you'd also want to set up TSIG-authentication between masters and slaves. That's not shown in the template. - Kevin Dixon, Justin wrote: > > > > > > > > > > > > > > > > > Hello BIND users, I have setup a new Ubuntu 9.04 server with BIND9. I have looked at a few tutorial and how to’s like this one: https://help.ubuntu.com/community/BIND9ServerHowto but would like to get your tips and tricks to secure your BIND servers before putting it into production. Thanks, Neosys Aside from standard OS level hardening that should have already been done, I would recommend looking over the following: http://www.cymru.com/Documents/secure-bind-template.html Thanks… Justin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
> You aren't going to wait for the RFC? - it doesn't seem to be out yet. > Or maybe you are predicting that it will be out before 9.7.0b2 is... It's out now (RFC 5702), so this is a moot point--but we were mainly waiting for IANA to pick the final codepoints, not so much for the RFC to be finalized. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse DNS & slave server
In article , $B%"%k%Y%k%H(B wrote: > Just simple question. > > I'm setting up slave dns server, my question, is do I need to transfer > Reverse zone > too ? or just domain zone is enough? > > thank you for any help You need to transfer any zones that are delegated to the slave server. There's nothing special about forward versus reverse zones in this regard. Forward and reverse zones don't have to be hosted on the same servers, although most organizations use the same servers for all their zones for simplicity. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
On Oct 28 2009, Evan Hunt wrote: You aren't going to wait for the RFC? - it doesn't seem to be out yet. Or maybe you are predicting that it will be out before 9.7.0b2 is... It's out now (RFC 5702), so this is a moot point--but we were mainly waiting for IANA to pick the final codepoints, not so much for the RFC to be finalized. Will you be adding RSASHA256 support in the 9.5.x and 9.6.x series? It might be a bit optimistic to expect everyone to move to 9.7.x by 2010-07-01, if that's when the root zone is going to be *really* signed (with RSASHA256, according to current reports). -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC BIND 9.7.0b1 is now available
> Will you be adding RSASHA256 support in the 9.5.x and 9.6.x series? It > might be a bit optimistic to expect everyone to move to 9.7.x by 2010-07-01, > if that's when the root zone is going to be *really* signed (with RSASHA256, > according to current reports). Not 9.5.x, as it lacks NSEC3 support. Adding SHA-2 to 9.6.x would violate our policy of making major functional changes only in major releases, so I don't expect we'll do that. Given the odd circumstances you mentioned, I won't say for certain that we won't--but I doubt it. 9.7.0 is going to be final in a little over a month, which is fortunate timing. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to debug
HI, I have already analysis where to add new RR,and how to make it works. But i don't contact automake tool before, so reading so large configure and makefiles make me feel so bad. I try to understand ,but it just myself alone to do this , so anyone can give some guide how to debug the source code 、 how to modify makefile and test result! Thanks very much! -- Best regards! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to debug
In message , aihua zhang writes: > > HI, > > I have already analysis where to add new RR,and how to make it works. > But i don't contact automake tool before, so reading so large configure > and makefiles make me feel so bad. I try to understand ,but it just myself > alone to do this , so anyone can give some guide how to debug the source > code =A1=A2 how to modify makefile and test result! I'll repeat what I said before "make clean" then "make". You don't need to touch configure or the Makefiles. You just need to do a clean build. The process will look in lib/dns/rdata and find the files there. Mark > Thanks very much=A3=A1 > > --=20 > Best regards! > > --001485354cc2c8f4fa0477099043 > Content-Type: text/html; charset=GB2312 > Content-Transfer-Encoding: quoted-printable > > HI, > > I have already analysis where to add new RR,and how to ma= > ke it works. > But i don't contact automake tool before, so read= > ing so large configure and makefiles make me feel so bad. I try to und= > erstand ,but it just myself alone to do this , so anyone can give some= > guide how to debug the source code =A1=A2 how to modif= > y makefile and test result! > > > Thanks very much=A3=A1-- Best regards!= > > > --001485354cc2c8f4fa0477099043-- > > --===8156758388202099534== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===8156758388202099534==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Reasons for not resolving
Kevin, Thanks for your explanation, yarnandwaste.com cannot be resolved, below is dig +trace result: [r...@ns2 ~]# dig yarnandwaste.com +trace ; <<>> DiG 9.4.2 <<>> yarnandwaste.com +trace ;; global options: printcmd . 437569 IN NS B.ROOT-SERVERS.NET. . 437569 IN NS C.ROOT-SERVERS.NET. . 437569 IN NS D.ROOT-SERVERS.NET. . 437569 IN NS E.ROOT-SERVERS.NET. . 437569 IN NS F.ROOT-SERVERS.NET. . 437569 IN NS G.ROOT-SERVERS.NET. . 437569 IN NS H.ROOT-SERVERS.NET. . 437569 IN NS I.ROOT-SERVERS.NET. . 437569 IN NS J.ROOT-SERVERS.NET. . 437569 IN NS K.ROOT-SERVERS.NET. . 437569 IN NS L.ROOT-SERVERS.NET. . 437569 IN NS M.ROOT-SERVERS.NET. . 437569 IN NS A.ROOT-SERVERS.NET. ;; Received 500 bytes from xx.xx.xx.xx #53(xx.xx.xx.xx) in 0 ms com.172800 IN NS F.GTLD-SERVERS.NET. com.172800 IN NS M.GTLD-SERVERS.NET. com.172800 IN NS H.GTLD-SERVERS.NET. com.172800 IN NS A.GTLD-SERVERS.NET. com.172800 IN NS L.GTLD-SERVERS.NET. com.172800 IN NS B.GTLD-SERVERS.NET. com.172800 IN NS D.GTLD-SERVERS.NET. com.172800 IN NS G.GTLD-SERVERS.NET. com.172800 IN NS E.GTLD-SERVERS.NET. com.172800 IN NS J.GTLD-SERVERS.NET. com.172800 IN NS C.GTLD-SERVERS.NET. com.172800 IN NS K.GTLD-SERVERS.NET. com.172800 IN NS I.GTLD-SERVERS.NET. ;; Received 506 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 158 ms yarnandwaste.com. 172800 IN NS maa.durgamatamandir.com. yarnandwaste.com. 172800 IN NS mata.durgamatamandir.com. ;; Received 119 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 225 ms ;; connection timed out; no servers could be reached Does that mean it's a connectivity problem? Also another issue is with gegreklam.com which have different results when dig +trace and without +trace, kindly check below results: - without +trace [r...@ns2 ~]# dig gegreklam.com ; <<>> DiG 9.4.2 <<>> gegreklam.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2418 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;gegreklam.com. IN A ;; ANSWER SECTION: gegreklam.com. 13940 IN A 208.43.100.50 ;; AUTHORITY SECTION: gegreklam.com. 85940 IN NS dns4.rawshen.com. gegreklam.com. 85940 IN NS dns3.rawshen.com. ;; Query time: 0 msec ;; SERVER: xx.xx.xx.xx#53(xx.xx.xx.xx) ;; WHEN: Thu Oct 29 08:07:01 2009 ;; MSG SIZE rcvd: 93 - with +trace [r...@ns2 ~]# dig gegreklam.com +trace ; <<>> DiG 9.4.2 <<>> gegreklam.com +trace ;; global options: printcmd . 436613 IN NS E.ROOT-SERVERS.NET. . 436613 IN NS F.ROOT-SERVERS.NET. . 436613 IN NS G.ROOT-SERVERS.NET. . 436613 IN NS H.ROOT-SERVERS.NET. . 436613 IN NS I.ROOT-SERVERS.NET. . 436613 IN NS J.ROOT-SERVERS.NET. . 436613 IN NS K.ROOT-SERVERS.NET. . 436613 IN NS L.ROOT-SERVERS.NET. . 436613 IN NS M.ROOT-SERVERS.NET. . 436613 IN NS A.ROOT-SERVERS.NET. . 436613 IN NS B.ROOT-SERVERS.NET. . 436613 IN NS C.ROOT-SERVERS.NET. . 436613 IN NS D.ROOT-SERVERS.NET. ;; Received 500 bytes from xx.xx.xx.xx #53(xx.xx.xx.xx) in 0 ms com.172800 IN NS H.GTLD-SERVERS.NET. com.172800 IN NS E.GTLD-SERVERS.NET. com.172800 IN NS C.GTLD-SERVERS.NET. com.172800 IN NS D.GTLD-SERVERS.NET. com.172800 IN NS G.GTLD-SERVERS.NET. com.172800 IN NS L.GTLD-SERVERS.NET. com.172800 IN NS F.GTLD-SERVERS.NET. com.172800 IN NS I.GTLD-SERVERS.NET. com.172800 IN NS M.GTLD-SERVERS.NET. com.172800 IN NS B.GT