Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
Dear All, I am not able to query over IPv6 from F.ROOT-SERVERS.NET over IPv6 from India. The F Root server instance is hosted in NIXI in India. Can anyone connected to Indian ISP check the same and let me know whether the issue is only with my network or for all NIXI connected users. Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
Hi Gaurav On Mon, Jun 15, 2015 at 06:11:26PM +0530, Gaurav Kansal wrote: > Can anyone connected to Indian ISP check the same and let me know > whether the issue is only with my network or for all NIXI connected > users. I'd like to to help and am probably a stone's throw away from the f node in Chennai. I seem to be living under a stone, but I don't get v6 routes from my ISPs. Are you using v6 via an Indian consumer ISP? Mukund pgpe2VB5XAWen.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Automatic . NS queries from BIND
Dear Team, My caching DNS server is generating log of . NS queries to ROOT Servers. I have a hint file in my bind configuration and the same is up-to date. The same behavior is occurring in multiple versions of BIND (tested on 9.7, 9.9 and on 9.10). It must be for some purpose (may be BIND doesn't trust hint file and cross check it from root servers). Can anyone put some light on this. Sample tcpdump output :- 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 [1au] NS? . (28) 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 [1au] NS? . (28) 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 [1au] NS? . (28) 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 [1au] NS? . (28) 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 [1au] NS? 117.240.177.150. (44) 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 [1au] NS? 1.mr. (33) 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ [1au] NS? . (28) 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ [1au] NS? . (28) 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ [1au] NS? . (28) 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 [1au] NS? comp-HP. (36) 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ [1au] NS? . (28) 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ [1au] NS? . (28) 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ [1au] NS? . (28) 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ [1au] NS? . (28) 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ [1au] NS? . (28) 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 [1au] NS? 116.73.202.141. (43) 16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926 [1au] NS? 116.73.202.141. (43) 17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880 [1au] NS? 2.mr. (33) 17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451 [1au] NS? 6.mr. (33) 17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain: 61843 [1au] NS? 3.mr. (33) 17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain: 23284 [1au] NS? 172.192.168.2. (42) Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
On Mon, Jun 15, 2015 at 8:41 AM, Gaurav Kansal wrote: > Dear All, > > > > I am not able to query over IPv6 from F.ROOT-SERVERS.NET over IPv6 from > India. > > The F Root server instance is hosted in NIXI in India. I just wanted to confirm - you are trying to ping 2001:4f8:0:2::69, yes? What IP / subnet would you be coming from? Also, can you provide a traceroute? W > > > > Can anyone connected to Indian ISP check the same and let me know whether > the issue is only with my network or for all NIXI connected users. > > > > Regards, > > Gaurav Kansal > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
I am on nic network and we have our own v6 connectivity. Sent by kansal's device. From: Mukund Sivaraman Sent: Monday, June 15, 6:51 PM Subject: Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA To: Gaurav Kansal Cc: bind-users@lists.isc.org Hi Gaurav On Mon, Jun 15, 2015 at 06:11:26PM +0530, Gaurav Kansal wrote: > Can anyone connected to Indian ISP check the same and let me know > whether the issue is only with my network or for all NIXI connected > users. I'd like to to help and am probably a stone's throw away from the f node in Chennai. I seem to be living under a stone, but I don't get v6 routes from my ISPs. Are you using v6 via an Indian consumer ISP?Mukund___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
I am trying to telnet (port 53)/ping/dig on 2001:500:2F::F address. Src address is 2405:8a00::/32. Trace is blocked at firewall end. If needed i wl try to get the same. Regards, Gaurav Kansal Sent by kansal's device. From: Warren Kumari Sent: Monday, June 15, 6:54 PM Subject: Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA To: Gaurav Kansal Cc: bind-users@lists.isc.org On Mon, Jun 15, 2015 at 8:41 AM, Gaurav Kansal wrote: > Dear All, > > > > I am not able to query over IPv6 from F.ROOT-SERVERS.NET over IPv6 from > India. > > The F Root server instance is hosted in NIXI in India. I just wanted to confirm - you are trying to ping 2001:4f8:0:2::69, yes? What IP / subnet would you be coming from? Also, can you provide a traceroute? W > > > > Can anyone connected to Indian ISP check the same and let me know whether > the issue is only with my network or for all NIXI connected users. > > > > Regards, > > Gaurav Kansal > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic . NS queries from BIND
The hints hopefully point eventually to an authoritative server for ".". Whatever that authoritative server says overrides any hints, just like any other zone's authoritative NS. It does not matter how obsolete a delegation is, so long as some authoritative NS replies, the data from the delegation (hints) no longer matters. HtHLen On Monday, June 15, 2015 6:14 AM, Gaurav Kansal wrote: Dear Team, My caching DNS server is generating log of . NS queries to ROOT Servers. I have a hint file in my bind configuration and the same is up-to date. The same behavior is occurring in multiple versions of BIND (tested on 9.7, 9.9 and on 9.10). It must be for some purpose (may be BIND doesn’t trust hint file and cross check it from root servers).Can anyone put some light on this. Sample tcpdump output :-15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 [1au] NS? . (28)15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 [1au] NS? . (28)15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 [1au] NS? . (28)15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 [1au] NS? . (28)15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 [1au] NS? 117.240.177.150. (44)15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 [1au] NS? 1.mr. (33)15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ [1au] NS? . (28)15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ [1au] NS? . (28)15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ [1au] NS? . (28)15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 [1au] NS? comp-HP. (36)16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ [1au] NS? . (28)16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ [1au] NS? . (28)16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ [1au] NS? . (28)16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ [1au] NS? . (28)16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ [1au] NS? . (28)16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 [1au] NS? 116.73.202.141. (43)16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926 [1au] NS? 116.73.202.141. (43)17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880 [1au] NS? 2.mr. (33)17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451 [1au] NS? 6.mr. (33)17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain: 61843 [1au] NS? 3.mr. (33)17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain: 23284 [1au] NS? 172.192.168.2. (42) Regards,Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic . NS queries from BIND
On Mon, Jun 15, 2015 at 5:56 AM, Gaurav Kansal wrote: > Dear Team, > > > > My caching DNS server is generating log of . NS queries to ROOT Servers. > > I have a hint file in my bind configuration and the same is up-to date. > > > > The same behavior is occurring in multiple versions of BIND (tested on > 9.7, 9.9 and on 9.10). > > > > It must be for some purpose (may be BIND doesn’t trust hint file and cross > check it from root servers). > > Can anyone put some light on this. > > > > > > *Sample tcpdump output :-* > > 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 > [1au] NS? . (28) > > 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 > [1au] NS? . (28) > > 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 > [1au] NS? . (28) > > 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 > [1au] NS? . (28) > > 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 > [1au] NS? 117.240.177.150. (44) > > 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 > [1au] NS? 1.mr. (33) > > 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ > [1au] NS? . (28) > > 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ > [1au] NS? . (28) > > 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ > [1au] NS? . (28) > > 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 > [1au] NS? comp-HP. (36) > > 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ > [1au] NS? . (28) > > 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ > [1au] NS? . (28) > > 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ > [1au] NS? . (28) > > 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ > [1au] NS? . (28) > > 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ > [1au] NS? . (28) > > 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 > [1au] NS? 116.73.202.141. (43) > > 16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926 > [1au] NS? 116.73.202.141. (43) > > 17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880 > [1au] NS? 2.mr. (33) > > 17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451 > [1au] NS? 6.mr. (33) > > 17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain: 61843 > [1au] NS? 3.mr. (33) > > 17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain: 23284 > [1au] NS? 172.192.168.2. (42) > > > > Regards, > > Gaurav Kansal > > Bind has never trusted your hints file. (OK, I can't swear to v4.x of BIND, even though I did use 4.3 a very long time ago.) The file is called a hints file as it is used only to provide a starting place for your named to find the root. It's really not even needed in most cases as BIND now has a built-in set of hints that are used in the absence of a hints file. Yo0u really only need a hits file if you are using a non-standard (usually internal) root. Once named "finds" a responsive root from either its internal list or from the hints file, the hints are ignored. It gets a copy of the root zone and starts to figure out the fastest one for normal use. Periodically it will retry other root servers to make sure that it is always using a reasonably fast responding one. I'll admit to being unfamiliar with the algorithm used to make these periodic checks. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic . NS queries from BIND
On Mon, Jun 15, 2015 at 3:06 PM, Kevin Oberman wrote: > On Mon, Jun 15, 2015 at 5:56 AM, Gaurav Kansal wrote: >> >> Dear Team, >> >> >> >> My caching DNS server is generating log of . NS queries to ROOT Servers. >> >> I have a hint file in my bind configuration and the same is up-to date. >> >> >> >> The same behavior is occurring in multiple versions of BIND (tested on >> 9.7, 9.9 and on 9.10). >> >> >> >> It must be for some purpose (may be BIND doesn’t trust hint file and cross >> check it from root servers). >> >> Can anyone put some light on this. >> >> >> >> >> >> Sample tcpdump output :- >> >> 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 >> [1au] NS? . (28) >> >> 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 >> [1au] NS? . (28) >> >> 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 >> [1au] NS? . (28) >> >> 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 >> [1au] NS? . (28) >> >> 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 >> [1au] NS? 117.240.177.150. (44) >> >> 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 >> [1au] NS? 1.mr. (33) >> >> 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ >> [1au] NS? . (28) >> >> 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ >> [1au] NS? . (28) >> >> 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ >> [1au] NS? . (28) >> >> 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 >> [1au] NS? comp-HP. (36) >> >> 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ >> [1au] NS? . (28) >> >> 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ >> [1au] NS? . (28) >> >> 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ >> [1au] NS? . (28) >> >> 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ >> [1au] NS? . (28) >> >> 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ >> [1au] NS? . (28) >> >> 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 >> [1au] NS? 116.73.202.141. (43) >> >> 16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926 >> [1au] NS? 116.73.202.141. (43) >> >> 17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880 >> [1au] NS? 2.mr. (33) >> >> 17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451 >> [1au] NS? 6.mr. (33) >> >> 17:25:16.707989 IP anydnsmby.35834 > i.root-servers.net.domain: 61843 >> [1au] NS? 3.mr. (33) >> >> 17:56:44.855060 IP anydnsmby.61903 > a.root-servers.net.domain: 23284 >> [1au] NS? 172.192.168.2. (42) >> >> >> >> Regards, >> >> Gaurav Kansal >> >> > > Bind has never trusted your hints file. (OK, I can't swear to v4.x of BIND, > even though I did use 4.3 a very long time ago.) > > The file is called a hints file as it is used only to provide a starting > place for your named to find the root. It's really not even needed in most > cases as BIND now has a built-in set of hints that are used in the absence > of a hints file. Yo0u really only need a hits file if you are using a > non-standard (usually internal) root. > > Once named "finds" a responsive root from either its internal list or from > the hints file, the hints are ignored. It gets a copy of the root zone and > starts to figure out the fastest one for normal use. Periodically it will > retry other root servers to make sure that it is always using a reasonably > fast responding one. I'll admit to being unfamiliar with the algorithm used > to make these periodic checks. Yah, as Kevin says, this is normal -- for more details: https://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming-05 W > -- > Kevin Oberman, Network Engineer, Retired > E-mail: rkober...@gmail.com > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Automatic . NS queries from BIND
Right, we know how hints files are used, but I think you guys may be missing the underlying conundrum: why is named querying the NS records of the root zone more often than the TTL of that RRset? See that there is a “NS? .” query at 15:36:44 and then another one at 15:45:52. At 15:45:52 it should have answered its client from the data it cached from the answer to the 15:36:44 query (less than 10 minutes previous). Is named not seeing a response from the root servers in question? Is the max-cache-ttl being capped at a ridiculously-small value? The NS queries of other names besides “.” itself are red herrings. They are all unique names – dot-terminated octet strings, names in the “.mr” TLD, “comp-HP.” -- and we wouldn’t expect them to have been cached previously. But an answer to “NS? .” should be cached for *days*, not just a few minutes. I’m speculating that this might not be a pure “caching DNS server” after all; it might be a forwarder with “forward first” defined. In that case, if the forwarding path experiences occasional delays, then named will fail over to trying iterative resolution, and if the routing and/or firewall rules were never set up to allow that, then the symptoms would be as documented, since named would never get a response from the root servers. General rule: use “forward only” if you must use forwarders *exclusively*; “forward first” is only for *opportunistic* forwarding, where you still have the ability to fall back to iterative resolution, if and when necessary. (Personally, I’m not much of a fan of “forward first”, since it rarely if ever produces the performance benefit expected, or, even if it lowers the average query latency, it does so at the expense of the worst-case latency -- cache miss plus slow authoritative nameservers and/or misconfigured delegations -- and it’s worst-case that causes apps to time out, to break, and ultimately, users to show up bearing pitchforks and burning oil). - Kevin From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Leonard Mills Sent: Monday, June 15, 2015 3:05 PM To: Gaurav Kansal; bind-users@lists.isc.org Subject: Re: Automatic . NS queries from BIND The hints hopefully point eventually to an authoritative server for ".". Whatever that authoritative server says overrides any hints, just like any other zone's authoritative NS. It does not matter how obsolete a delegation is, so long as some authoritative NS replies, the data from the delegation (hints) no longer matters. HtH Len On Monday, June 15, 2015 6:14 AM, Gaurav Kansal mailto:gaurav.kan...@nic.in>> wrote: Dear Team, My caching DNS server is generating log of . NS queries to ROOT Servers. I have a hint file in my bind configuration and the same is up-to date. The same behavior is occurring in multiple versions of BIND (tested on 9.7, 9.9 and on 9.10). It must be for some purpose (may be BIND doesn’t trust hint file and cross check it from root servers). Can anyone put some light on this. Sample tcpdump output :- 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 [1au] NS? . (28) 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 [1au] NS? . (28) 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 [1au] NS? . (28) 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 [1au] NS? . (28) 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 [1au] NS? 117.240.177.150. (44) 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 [1au] NS? 1.mr. (33) 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ [1au] NS? . (28) 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ [1au] NS? . (28) 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ [1au] NS? . (28) 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 [1au] NS? comp-HP. (36) 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ [1au] NS? . (28) 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ [1au] NS? . (28) 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ [1au] NS? . (28) 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ [1au] NS? . (28) 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ [1au] NS? . (28) 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 [1au] NS? 116.73.202.141. (43) 16:51:14.835539 IP anydnsmby.19616 > i.root-servers.net.domain: 14926 [1au] NS? 116.73.202.141. (43) 17:25:16.706395 IP anydnsmby.58045 > i.root-servers.net.domain: 30880 [1au] NS? 2.mr. (33) 17:25:16.707072 IP anydnsmby.38495 > i.root-servers.net.domain: 43451 [1au] NS? 6.mr. (33) 17:25:16.70
RE: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA
>From a NL Ring node in india: ausregistry@hostvirtual01:~$ mtr 2001:500:2f::f My traceroute [v0.81] hostvirtual01.ring.nlnog.net (::) Mon Jun 15 23:29:29 2015 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings HostLoss% Snt Last Avg Best Wrst StDev 1. 2403:2500:4000::1 0.0%140.3 0.4 0.3 0.5 0.1 2. 2401:8800:810:2::10.0%142.2 1.5 0.6 2.3 0.6 3. 2401:8800:800:201::1 0.0%140.8 1.4 0.4 2.4 0.6 4. 2404:a800:2:1e::1c:1 0.0%143.5 2.0 1.3 3.5 0.7 5. 2404:a800:2:c003::1 0.0%147.1 6.5 4.5 9.4 1.6 6. 2001:de8:1:2::1 0.0%142.6 2.6 2.1 3.4 0.3 7. 2001:de8:1:2::3 0.0%133.7 2.8 2.2 3.8 0.6 8. f.root-servers.net0.0%133.2 3.0 2.1 4.0 0.6 'dig' et al work for one-off testing. I am getting inconsistent results from doing lots of requests (occasional ' ;; Truncated, retrying in TCP mode.', but that's probably flood protection from testing too quickly). All responses I get are from nsid: ; NSID: 6d 61 61 31 62 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67 (m) (a) (a) (1) (b) (.) (f) (.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g) -- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of gaurav.kan...@nic.in Sent: Tuesday, 16 June 2015 2:58 AM To: war...@kumari.net Cc: bind-users@lists.isc.org Subject: Re: Not able to query from F.ROOT-SERVERS.NET over IPv6 -- FROM INDIA I am trying to telnet (port 53)/ping/dig on 2001:500:2F::F address. Src address is 2405:8a00::/32. Trace is blocked at firewall end. If needed i wl try to get the same. Regards, Gaurav Kansal STUART BROWNE Senior Unix Administrator, Network Administrator, Database Admin P +61 9866 3710 www.bomboratech.com.au Follow us on https://twitter.com/BomboraTech The Bombora Technologies group of companies includes AusRegistry, ARI Registry Services, AusRegistry International and ZOAK Solutions. The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic . NS queries from BIND
On Mon, Jun 15, 2015 at 1:29 PM, Darcy Kevin (FCA) wrote: > Right, we know how hints files are used, but I think you guys may be > missing the underlying conundrum: why is named querying the NS records of > the root zone more often than the TTL of that RRset? See that there is a > “NS? .” query at 15:36:44 and then another one at 15:45:52. At 15:45:52 > it should have answered its client from the data it cached from the answer > to the 15:36:44 query (less than 10 minutes previous). > > > > Is named not seeing a response from the root servers in question? Is the > max-cache-ttl being capped at a ridiculously-small value? > > > > The NS queries of other names besides “.” itself are red herrings. They > are all unique names – dot-terminated octet strings, names in the “.mr” > TLD, “comp-HP.” -- and we wouldn’t expect them to have been cached > previously. But an answer to “NS? .” should be cached for **days**, not > just a few minutes. > > > > I’m speculating that this might not be a pure “caching DNS server” after > all; it might be a forwarder with “forward first” defined. In that case, if > the forwarding path experiences occasional delays, then named will fail > over to trying iterative resolution, and if the routing and/or firewall > rules were never set up to allow that, then the symptoms would be as > documented, since named would never get a response from the root servers. > General rule: use “forward only” if you must use forwarders **exclusively**; > “forward first” is only for **opportunistic** forwarding, where you still > have the ability to fall back to iterative resolution, if and when > necessary. (Personally, I’m not much of a fan of “forward first”, since it > rarely if ever produces the performance benefit expected, or, even if it > lowers the *average *query latency, it does so at the expense of the > *worst-case* latency -- cache miss plus slow authoritative nameservers > and/or misconfigured delegations -- and it’s worst-case that causes apps to > time out, to break, and ultimately, users to show up bearing pitchforks and > burning oil). > > > > > - Kevin > There is more to than TTL expiry involved. TTL on the root is pretty long (60 days). There are also the regular and far more frequent checks for fastest response. These are performed according to an algorithm in BIND that I have not seen documented. It i possible that these queries are responsible, especially as queries are going out to multiple root servers. That said, I admit that I see a real possibility that Kevin is right. I also dislike "forward first". Since I am retired, I no longer manage a BIND server, so I have no logs to check on the behavior of "my" server. It would be interesting to see any documentation on the algorithm used to detect the "closest" root server as well as the log of someone else running a similar setup. -- Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com On Monday, June 15, 2015 6:14 AM, Gaurav Kansal > wrote: > > > > Dear Team, > > > > My caching DNS server is generating log of . NS queries to ROOT Servers. > > I have a hint file in my bind configuration and the same is up-to date. > > > > The same behavior is occurring in multiple versions of BIND (tested on > 9.7, 9.9 and on 9.10). > > > > It must be for some purpose (may be BIND doesn’t trust hint file and cross > check it from root servers). > > Can anyone put some light on this. > > > > > > *Sample tcpdump output :-* > > 15:36:42.440831 IP anydnsmby.27938 > k.root-servers.net.domain: 38907 > [1au] NS? . (28) > > 15:36:43.241203 IP anydnsmby.52261 > f.root-servers.net.domain: 3841 > [1au] NS? . (28) > > 15:36:43.624041 IP anydnsmby.48889 > k.root-servers.net.domain: 6314 > [1au] NS? . (28) > > 15:36:44.424047 IP anydnsmby.65507 > c.root-servers.net.domain: 27973 > [1au] NS? . (28) > > 15:37:42.071574 IP anydnsmby.38958 > i.root-servers.net.domain: 53519 > [1au] NS? 117.240.177.150. (44) > > 15:40:11.121122 IP anydnsmby.7941 > i.root-servers.net.domain: 62400 > [1au] NS? 1.mr. (33) > > 15:45:52.780062 IP anydnsmby.49432 > e.root-servers.net.domain: 54241+ > [1au] NS? . (28) > > 15:45:59.341780 IP anydnsmby.34368 > e.root-servers.net.domain: 55928+ > [1au] NS? . (28) > > 15:46:04.487088 IP anydnsmby.35621 > e.root-servers.net.domain: 7266+ > [1au] NS? . (28) > > 15:46:35.453029 IP anydnsmby.62875 > i.root-servers.net.domain: 4129 > [1au] NS? comp-HP. (36) > > 16:16:13.747955 IP anydnsmby.39690 > a.root-servers.net.domain: 8774+ > [1au] NS? . (28) > > 16:16:20.845363 IP anydnsmby.36994 > e.root-servers.net.domain: 63433+ > [1au] NS? . (28) > > 16:16:36.746049 IP anydnsmby.42878 > a.root-servers.net.domain: 48439+ > [1au] NS? . (28) > > 16:16:42.060534 IP anydnsmby.41018 > j.root-servers.net.domain: 5347+ > [1au] NS? . (28) > > 16:16:49.081649 IP anydnsmby.53661 > e.root-servers.net.domain: 54768+ > [1au] NS? . (28) > > 16:51:14.034065 IP anydnsmby.38025 > k.root-servers.net.domain: 52771 > [1au] NS? 116.
