Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread John Miller 
Ok--I see what's up now!  This has been one of the stranger DNS setups
I've ever seen: different NS records pointing to overlapping sets of
IP addresses, EDNS disabled, really short TTLs on both NS and A
records.  Even though you're not querying at the name listed in the NS
records, it's usually the same IP under the hood, so

# dig +noedns zulily-com.mail.protection.outlook.com.
@ns1-prodeodns.glbdns.o365filtering.com.

should work--it's only when the nameserver itself fails to resolve
that things go funny.

If things are working for you now, I'll leave you be.  Thanks for a
really interesting problem!

John

On Wed, May 4, 2016 at 4:52 PM, Rob Heilman  wrote:
> That is a valid NS for the *.mail.oe.outlook.com hostnames.  Probably got
> wires crossed between the different examples.  Either way I could not
> resolve that server name at that time.  Now it is responding 100% of the
> time for both *.mail.oe.outlook.com and *.mail.protection.outlook.com hosts.
>
> -Rob Heilman
>
>
>
> ;mail.eo.outlook.com. IN NS
>
> ;; ANSWER SECTION:
> mail.eo.outlook.com. 10 IN NS ns2-prodeodns.glbdns.o365filtering.com.
> mail.eo.outlook.com. 10 IN NS ns1-prodeodns.glbdns.o365filtering.com.
>
> ;; ADDITIONAL SECTION:
> ns1-prodeodns.glbdns.o365filtering.com. 6 IN A 207.46.100.42
> ns1-prodeodns.glbdns.o365filtering.com. 6 IN A 65.55.169.42
> ns1-prodeodns.glbdns.o365filtering.com. 6 IN A 157.56.112.42
> ns2-prodeodns.glbdns.o365filtering.com. 30 IN A 207.46.163.143
> ns2-prodeodns.glbdns.o365filtering.com. 30 IN A 207.46.163.176
> ns2-prodeodns.glbdns.o365filtering.com. 30 IN A 157.55.234.42
>
> ;; Query time: 9 msec
> ;; SERVER: 10.10.10.21#53(10.10.10.21)
> ;; WHEN: Wed May  4 16:47:26 2016
> ;; MSG SIZE  rcvd: 210
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nsupdate usage scenario

2016-05-04 Thread Alan Clegg 
On 5/4/16, 4:27 PM, "/dev/rob0"  wrote:

>My personal recommendation: get over the idea of looking at zone
>files; use "dig axfr example.com. | less".  Let named manage and
>serve the DNS data as it will.  Comments can be included as TXT
>records if you like.

So much this.

AlanC


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nsupdate usage scenario

2016-05-04 Thread /dev/rob0 
On Wed, May 04, 2016 at 03:17:38PM -0400, Paul Kosinski wrote:
> Interesting idea -- it never occurred to me that I could have 
> separate zone files for sub-domains.

Every zone is a subzone of its parent zone.

> So, if I had a tiny zone file for "dynamic.example.com" alone, and 
> a bigger zone file for all the other stuff for "example.com", could 
> I be *sure* that nsupdate would *only* modify the tiny file, and 
> not mess with the bigger, main file?
> 
> Or would I also have to put a ZONE statement as the first line of 
> the nsupdate data stream specifying "dynamic.example.com" as the 
> zone to be updated? (And would that *guarantee* the main file was 
> not changed?)

This is a bigger can of worms than you think.  I did it with my own 
dynamic zone some years back, now wishing to flatten it back into 
the parent zone (because they are both dynamic now.)

* You have to delegate the [sub]zone to a set of nameservers
* You have to configure those nameservers to serve that [sub]zone

The NS for your subzone can be, but need not be, the same as the ones 
serving your parent zone.  Choose one to be master.  Put that name in 
the SOA MNAME field for the subzone.  (The MNAME is used by nsupdate 
in choosing where to send an update.  It's not essential because you 
can also use a "server" line in your nsupdate input.)

Note that on the master you need an allow-update or update-policy in 
your zone statement.

My personal recommendation: get over the idea of looking at zone 
files; use "dig axfr example.com. | less".  Let named manage and 
serve the DNS data as it will.  Comments can be included as TXT 
records if you like.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Rob Heilman 
What is the typo?  I ran it three times.  The first time gave me the “couldn’t 
get address” error.  The second I got the FORMERR, the third worked when I 
added +noedns.

-rh


> On May 4, 2016, at 3:57 PM, John Miller  wrote:
> 
> On Wed, May 4, 2016 at 3:23 PM, Rob Heilman  wrote:
>> Could it be that the “adberr:2” logs entries are indicating that it 
>> periodically can’t find the name servers?
>> 
>> -Rob Heilman
>> 
>> 
>> 
>> # dig zulily-com.mail.protection.outlook.com. 
>> @ns1-prodeodns.glbdns.o365filtering.com.
>> 
>> dig: couldn't get address for 'ns1-prodeodns.glbdns.o365filtering.com.': 
>> failure
>> 
>> 
> 
> Nothing quite so fancy there - I think you're querying the wrong
> nameserver.  Try
> 
> mail.protection.outlook.com. 1800 INNS
> ns2-proddns.glbdns.o365filtering.com.
> mail.protection.outlook.com. 1800 INNS
> ns1-proddns.glbdns.o365filtering.com.
> 
> instead.  Just looks like a typo on your end.
> 
> John

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread John Miller 
On Wed, May 4, 2016 at 3:57 PM, John Miller  wrote:
> On Wed, May 4, 2016 at 3:23 PM, Rob Heilman  wrote:
>> Could it be that the “adberr:2” logs entries are indicating that it 
>> periodically can’t find the name servers?
>>
>> -Rob Heilman
>>
>>
>>
>> # dig zulily-com.mail.protection.outlook.com. 
>> @ns1-prodeodns.glbdns.o365filtering.com.
>>
>> dig: couldn't get address for 'ns1-prodeodns.glbdns.o365filtering.com.': 
>> failure
>>
>>
>
> Nothing quite so fancy there - I think you're querying the wrong
> nameserver.  Try
>
> mail.protection.outlook.com. 1800 INNS
> ns2-proddns.glbdns.o365filtering.com.
> mail.protection.outlook.com. 1800 INNS
> ns1-proddns.glbdns.o365filtering.com.
>
> instead.  Just looks like a typo on your end.
>
> John

Although you could argue that this _is_ a rodeo:

"prodeodns"

;-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread John Miller 
On Wed, May 4, 2016 at 3:23 PM, Rob Heilman  wrote:
> Could it be that the “adberr:2” logs entries are indicating that it 
> periodically can’t find the name servers?
>
> -Rob Heilman
>
>
>
> # dig zulily-com.mail.protection.outlook.com. 
> @ns1-prodeodns.glbdns.o365filtering.com.
>
> dig: couldn't get address for 'ns1-prodeodns.glbdns.o365filtering.com.': 
> failure
>
>

Nothing quite so fancy there - I think you're querying the wrong
nameserver.  Try

mail.protection.outlook.com. 1800 INNS
ns2-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. 1800 INNS
ns1-proddns.glbdns.o365filtering.com.

instead.  Just looks like a typo on your end.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Rob Heilman 
Could it be that the “adberr:2” logs entries are indicating that it 
periodically can’t find the name servers?

-Rob Heilman



# dig zulily-com.mail.protection.outlook.com. 
@ns1-prodeodns.glbdns.o365filtering.com.

dig: couldn't get address for 'ns1-prodeodns.glbdns.o365filtering.com.': failure



# dig zulily-com.mail.protection.outlook.com. 
@ns1-prodeodns.glbdns.o365filtering.com.

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> zulily-com.mail.protection.outlook.com. 
@ns1-prodeodns.glbdns.o365filtering.com.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 35547

;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: recursion requested but not available



;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'



;; Query time: 73 msec

;; SERVER: 207.46.100.42#53(207.46.100.42)

;; WHEN: Wed May 04 14:44:22 EDT 2016

;; MSG SIZE  rcvd: 12


# dig zulily-com.mail.protection.outlook.com. 
@ns1-prodeodns.glbdns.o365filtering.com. +noedns



; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> zulily-com.mail.protection.outlook.com. 
@ns1-prodeodns.glbdns.o365filtering.com. +noedns

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27187

;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: recursion requested but not available



;; QUESTION SECTION:

;zulily-com.mail.protection.outlook.com.IN A



;; ANSWER SECTION:

zulily-com.mail.protection.outlook.com. 10 IN A 207.46.163.138

zulily-com.mail.protection.outlook.com. 10 IN A 207.46.163.247

zulily-com.mail.protection.outlook.com. 10 IN A 207.46.163.215



;; Query time: 74 msec

;; SERVER: 207.46.100.42#53(207.46.100.42)

;; WHEN: Wed May 04 14:44:56 EDT 2016

;; MSG SIZE  rcvd: 218


> On May 4, 2016, at 3:16 PM, John Miller  wrote:
> 
>> 
>> dig mail.protection.outlook.com. ns
>> @ns1-proddns.glbdns.o365filtering.com. +noedns
>> ;; ANSWER SECTION:
>> mail.protection.outlook.com. 10 IN  NS
>> ns1-proddns.glbdns.o365filtering.com.
>> mail.protection.outlook.com. 10 IN  NS
>> ns2-proddns.glbdns.o365filtering.com.
>> 
>> 
>> 
>> Note the short TTL on the A and NS records, combined with dns servers
>> that don't understand edns. Is there something in bind 9.9.5 that would
>> not like that combination? I presume that 9.9.5 would try edns first,
>> and then backoff to noedns after receiving the FORMERR.
>> 
> 
> Seems very odd to have a TTL of 10 seconds on an NS record: anyone
> seen that before?  Combining that with EDNS disabled means that you're
> essentially having to make four lookups every single time you want to
> use Outlook 365.
> 
> John
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nsupdate usage scenario

2016-05-04 Thread Paul Kosinski 
Interesting idea -- it never occurred to me that I could have separate
zone files for sub-domains.

So, if I had a tiny zone file for "dynamic.example.com" alone, and a
bigger zone file for all the other stuff for "example.com", could I be
*sure* that nsupdate would *only* modify the tiny file, and not mess
with the bigger, main file?

Or would I also have to put a ZONE statement as the first line of the
nsupdate data stream specifying "dynamic.example.com" as the zone to be
updated? (And would that *guarantee* the main file was not changed?)


On Mon, 2 May 2016 14:15:21 -0500 (CDT)
"Jeremy C. Reed"  wrote:

> What about using a specific zone file just for the purpose of the
> single A record you want to maintain using dynamic updates?
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread John Miller 
>
> dig mail.protection.outlook.com. ns
> @ns1-proddns.glbdns.o365filtering.com. +noedns
> ;; ANSWER SECTION:
> mail.protection.outlook.com. 10 IN  NS
> ns1-proddns.glbdns.o365filtering.com.
> mail.protection.outlook.com. 10 IN  NS
> ns2-proddns.glbdns.o365filtering.com.
>
>
>
> Note the short TTL on the A and NS records, combined with dns servers
> that don't understand edns. Is there something in bind 9.9.5 that would
> not like that combination? I presume that 9.9.5 would try edns first,
> and then backoff to noedns after receiving the FORMERR.
>

Seems very odd to have a TTL of 10 seconds on an NS record: anyone
seen that before?  Combining that with EDNS disabled means that you're
essentially having to make four lookups every single time you want to
use Outlook 365.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2016-05-04 at 14:02 -0400, Rob Heilman wrote:
> query failed (SERVFAIL) for zulily-
> com.mail.protection.outlook.com/IN/A

;; ANSWER SECTION:
zulily-com.mail.protection.outlook.com. 10 IN A 207.46.163.170
zulily-com.mail.protection.outlook.com. 10 IN A 207.46.163.247
zulily-com.mail.protection.outlook.com. 10 IN A 207.46.163.215

;; AUTHORITY SECTION:
mail.protection.outlook.com. 1800 IN NS
ns2-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. 1800 IN NS
ns1-proddns.glbdns.o365filtering.com.



dig ns1-proddns.glbdns.o365filtering.com. a
;; ANSWER SECTION:
ns1-proddns.glbdns.o365filtering.com. 30 IN A   207.46.163.176
ns1-proddns.glbdns.o365filtering.com. 30 IN A   65.55.169.42
ns1-proddns.glbdns.o365filtering.com. 30 IN A   207.46.163.143
ns1-proddns.glbdns.o365filtering.com. 30 IN A   207.46.100.42



dig mail.protection.outlook.com. ns
@ns1-proddns.glbdns.o365filtering.com. +noedns
;; ANSWER SECTION:
mail.protection.outlook.com. 10 IN  NS
ns1-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. 10 IN  NS
ns2-proddns.glbdns.o365filtering.com.



Note the short TTL on the A and NS records, combined with dns servers
that don't understand edns. Is there something in bind 9.9.5 that would
not like that combination? I presume that 9.9.5 would try edns first,
and then backoff to noedns after receiving the FORMERR.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlcqRVUACgkQL6j7milTFsEoSQCfXoslXPa/YgLrPQ3uHr3zCkwn
lb8An1tuJleoYsDG8AS9FvHExWK1PSty
=qfx2
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread John W. Blue 
I ran several digs using:


dig @ns1-prodeodns.glbdns.o365filtering.com. A 
zulily-com.mail.protection.outlook.com. +short​


without error.  As mentioned previously by Mark Andrews:


> SERVFAIL usually means that the server is configured for the zone
> but doesn't have a current copy.


You gave a snip of the error that is logged, but you might also consider 
pulling a tcpdump to see both sides of the actual conversation.  It might 
provide additional insight.


John



From: bind-users-boun...@lists.isc.org  on 
behalf of Rob Heilman 
Sent: Wednesday, May 4, 2016 1:02 PM
To: bind-users@lists.isc.org
Subject: Intermittent Issues Resolving Microsoft Hostnames

We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized email 
hosting system.  System info listed at the end of this message.  We are seeing 
intermittent but frequent issues resolving Microsoft records.  The hostnames 
are usually in the form of 
*.mail.protection.outlook.com or 
*.mail.eo.outlook.com.  They range from 
k-12/university organizations, small businesses, to large commercial companies. 
 Some examples follow:

03-May-2016 09:16:48.001 query-errors: debug 1: client 10.10.10.95#44080 
(zulily-com.mail.protection.outlook.com):
 query failed (SERVFAIL) for 
zulily-com.mail.protection.outlook.com/IN/A
 at query.c:7004
03-May-2016 09:16:48.002 query-errors: debug 2: fetch completed at 
resolver.c:3074 for 
zulily-com.mail.protection.outlook.com/A
 in 0.67: failure/success 
[domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

04-May-2016 09:32:38.498 query-errors: debug 1: client 10.10.10.95#44080 
(hanes-com.mail.protection.outlook.com):
 query failed (SERVFAIL) for 
hanes-com.mail.protection.outlook.com/IN/A
 at query.c:7004
04-May-2016 09:32:38.498 query-errors: debug 2: fetch completed at 
resolver.c:3074 for 
hanes-com.mail.protection.outlook.com/A
 in 0.004677: failure/success 
[domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

04-May-2016 12:47:12.935 query-errors: debug 1: client 10.10.10.95#44080 
(pitt-edu.mail.protection.outlook.com):
 query failed (SERVFAIL) for 
pitt-edu.mail.protection.outlook.com/IN/A
 at query.c:7004
04-May-2016 12:47:12.935 query-errors: debug 2: fetch completed at 
resolver.c:3074 for 
pitt-edu.mail.protection.outlook.com/A
 in 0.85: failure/success 
[domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

04-May-2016 12:47:30.918 query-errors: debug 1: client 10.10.10.96#48950 
(mdfoodbank-org.mail.eo.outlook.com):
 query failed (SERVFAIL) for 
mdfoodbank-org.mail.eo.outlook.com/IN/A
 at query.c:7004
04-May-2016 12:47:30.918 query-errors: debug 2: fetch completed at 
resolver.c:3074 for 
mdfoodbank-org.mail.eo.outlook.com/A
 in 0.78: failure/success 
[domain:mail.eo.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

I have added config statements to send query-errors to dedicated files and 
increased debugging to 10 on that channel.  The referenced sections of 
resolver.c and query.c are as follows:

resolver.c

fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
isc_result_t result;
dns_adbaddrinfo_t *addrinfo;

FCTXTRACE("try");

REQUIRE(!ADDRWAIT(fctx));

addrinfo = fctx_nextaddress(fctx);
if (addrinfo == NULL) {
/*
 * We have no more addresses.  Start over.
 */
fctx_cancelqueries(fctx, ISC_TRUE);
fctx_cleanupfinds(fctx);
fctx_cleanupaltfinds(fctx);
fctx_cleanupforwaddrs(fctx);
fctx_cleanupaltaddrs(fctx);
result = fctx_getaddresses(fctx, badcache);
if (result == DNS_R_WAIT) {
/*
 * Sleep waiting for addresses.
 */
FCTXTRACE("addrwait");
fctx->attributes |= FCTX_ATTR_ADDRWAIT;
return;

Re: Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Stephane Bortzmeyer 
On Wed, May 04, 2016 at 02:02:24PM -0400,
 Rob Heilman  wrote 
 a message of 305 lines which said:

> We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized
> email hosting system.  System info listed at the end of this
> message.  We are seeing intermittent but frequent issues resolving
> Microsoft records.  The hostnames are usually in the form of
> *.mail.protection.outlook.com

protection.outlook.com has a legal but unusual setup. It has only two
name servers (not enough for an important domain) but each has several
IP addresses. It should work because the RFC says that the resolver
has to try every _address_ not just every name. And I'm confident BIND
does the right thing.

However, one can note that both name servers have _exactly_ the same
set of IP addresses. Again, it should work, but this setup is strange.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Intermittent Issues Resolving Microsoft Hostnames

2016-05-04 Thread Rob Heilman 
We run BIND 9.9.5-9 on Debian x86_64 to support a moderately sized email 
hosting system.  System info listed at the end of this message.  We are seeing 
intermittent but frequent issues resolving Microsoft records.  The hostnames 
are usually in the form of *.mail.protection.outlook.com 
 or *.mail.eo.outlook.com 
.  They range from k-12/university organizations, 
small businesses, to large commercial companies.  Some examples follow:

03-May-2016 09:16:48.001 query-errors: debug 1: client 10.10.10.95#44080 
(zulily-com.mail.protection.outlook.com): query failed (SERVFAIL) for 
zulily-com.mail.protection.outlook.com/IN/A at query.c:7004
03-May-2016 09:16:48.002 query-errors: debug 2: fetch completed at 
resolver.c:3074 for zulily-com.mail.protection.outlook.com/A in 0.67: 
failure/success 
[domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

04-May-2016 09:32:38.498 query-errors: debug 1: client 10.10.10.95#44080 
(hanes-com.mail.protection.outlook.com): query failed (SERVFAIL) for 
hanes-com.mail.protection.outlook.com/IN/A at query.c:7004
04-May-2016 09:32:38.498 query-errors: debug 2: fetch completed at 
resolver.c:3074 for hanes-com.mail.protection.outlook.com/A in 0.004677: 
failure/success 
[domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

04-May-2016 12:47:12.935 query-errors: debug 1: client 10.10.10.95#44080 
(pitt-edu.mail.protection.outlook.com): query failed (SERVFAIL) for 
pitt-edu.mail.protection.outlook.com/IN/A at query.c:7004
04-May-2016 12:47:12.935 query-errors: debug 2: fetch completed at 
resolver.c:3074 for pitt-edu.mail.protection.outlook.com/A in 0.85: 
failure/success 
[domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]
  

04-May-2016 12:47:30.918 query-errors: debug 1: client 10.10.10.96#48950 
(mdfoodbank-org.mail.eo.outlook.com): query failed (SERVFAIL) for 
mdfoodbank-org.mail.eo.outlook.com/IN/A at query.c:7004
04-May-2016 12:47:30.918 query-errors: debug 2: fetch completed at 
resolver.c:3074 for mdfoodbank-org.mail.eo.outlook.com/A in 0.78: 
failure/success 
[domain:mail.eo.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0]

I have added config statements to send query-errors to dedicated files and 
increased debugging to 10 on that channel.  The referenced sections of 
resolver.c and query.c are as follows:

resolver.c

fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
isc_result_t result;
dns_adbaddrinfo_t *addrinfo;

FCTXTRACE("try");

REQUIRE(!ADDRWAIT(fctx));

addrinfo = fctx_nextaddress(fctx);
if (addrinfo == NULL) {
/*
 * We have no more addresses.  Start over.
 */
fctx_cancelqueries(fctx, ISC_TRUE);
fctx_cleanupfinds(fctx);
fctx_cleanupaltfinds(fctx);
fctx_cleanupforwaddrs(fctx);
fctx_cleanupaltaddrs(fctx);
result = fctx_getaddresses(fctx, badcache);
if (result == DNS_R_WAIT) {
/*
 * Sleep waiting for addresses.
 */
FCTXTRACE("addrwait");
fctx->attributes |= FCTX_ATTR_ADDRWAIT;
return;
} else if (result != ISC_R_SUCCESS) {
/*
 * Something bad happened.
 */
fctx_done(fctx, result, __LINE__);

query.c


/*
 * Switch to the new qname and restart.
 */
ns_client_qnamereplace(client, fname);
fname = NULL;
want_restart = ISC_TRUE;
if (!WANTRECURSION(client))
options |= DNS_GETDB_NOLOG;
goto addauth;
default:
/*
 * Something has gone wrong.
 */
QUERY_ERROR(DNS_R_SERVFAIL);


Does anyone know what these logged errors indicate or where I can research them 
further in the documentation?  So far my searches are coming up empty.  

Thanks,
Rob Heilman


# uname -a
Linux fe2 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) i686 
GNU/Linux
# /usr/sbin/named -v
BIND 9.9.5-9+deb8u6-Debian (Extended Support Version)
#
sar reports average 1m load average under .5 and CPU idle over 90%.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org

Re: Monitor DNS queries toward Root severs

2016-05-04 Thread Stephane Bortzmeyer 
On Wed, May 04, 2016 at 07:03:13PM +1000,
 Mark Andrews  wrote 
 a message of 15 lines which said:

> fill in with the rest of the root servers names.

And if you don't like to type, or if you use another root:

sudo tcpdump -n -i ${INTERFACE} port 53 and \( $(for ns in $(dig +nodnssec 
+short NS .); do echo host $(dig +short +nodnssec  $ns) or; done) host 
2001:db8::::1 \)
# Last (dummy) host just to use the last "or"
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitor DNS queries toward Root severs

2016-05-04 Thread Mark Andrews 

tcpdump -n \( host a.root-servers.net or host b.root-servers.net \) and dst 
port 53

fill in with the rest of the root servers names.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitor DNS queries toward Root severs

2016-05-04 Thread Jaap Akkerhuis 
 Daniel Dawalibi writes:

 > 
 > Hello
 > 
 >  
 > 
 > Is there any tool or configuration that allows us to monitor/graph the
 > number of outbound DNS queries toward the Root servers?

http://dnstop.measurement-factory.com/

jaap
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Monitor DNS queries toward Root severs

2016-05-04 Thread Daniel Dawalibi 
Hello

 

Is there any tool or configuration that allows us to monitor/graph the
number of outbound DNS queries toward the Root servers?

As you can see in the below examples the first query answered by M root then
F root in the second query.

 

; <<>> DiG 9.7.0-P1 <<>> www.cnn.com +trace

;; global options: +cmd

.   450124  IN  NS  f.root-servers.net.

.   450124  IN  NS  b.root-servers.net.

.   450124  IN  NS  j.root-servers.net.

.   450124  IN  NS  d.root-servers.net.

.   450124  IN  NS  h.root-servers.net.

.   450124  IN  NS  g.root-servers.net.

.   450124  IN  NS  a.root-servers.net.

.   450124  IN  NS  c.root-servers.net.

.   450124  IN  NS  k.root-servers.net.

.   450124  IN  NS  m.root-servers.net.

.   450124  IN  NS  e.root-servers.net.

.   450124  IN  NS  l.root-servers.net.

.   450124  IN  NS  i.root-servers.net.

;; Received 496 bytes from 193.227.177.130#53(193.227.177.130) in 12 ms

 

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

;; Received 489 bytes from 202.12.27.33#53(m.root-servers.net) in 68 ms

 

cnn.com.172800  IN  NS  ns1.timewarner.net.

cnn.com.172800  IN  NS  ns3.timewarner.net.

cnn.com.172800  IN  NS  ns1.p42.dynect.net.

cnn.com.172800  IN  NS  ns2.p42.dynect.net.

;; Received 190 bytes from 192.43.172.30#53(i.gtld-servers.net) in 64 ms

 

www.cnn.com.300 IN  CNAME   turner.map.fastly.net.

;; Received 64 bytes from 204.74.108.238#53(ns1.timewarner.net) in 61 ms

 

 

 

; <<>> DiG 9.7.0-P1 <<>> www.cnn.com +trace

;; global options: +cmd

.   450105  IN  NS  a.root-servers.net.

.   450105  IN  NS  f.root-servers.net.

.   450105  IN  NS  l.root-servers.net.

.   450105  IN  NS  h.root-servers.net.

.   450105  IN  NS  b.root-servers.net.

.   450105  IN  NS  g.root-servers.net.

.   450105  IN  NS  k.root-servers.net.

.   450105  IN  NS  i.root-servers.net.

.   450105  IN  NS  j.root-servers.net.

.   450105  IN  NS  c.root-servers.net.

.   450105  IN  NS  m.root-servers.net.

.   450105  IN  NS  d.root-servers.net.

.   450105  IN  NS  e.root-servers.net.

;; Received 496 bytes from 193.227.177.130#53(193.227.177.130) in 0 ms

 

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

;; Received 501 bytes from 192.5.5.241#53(f.root-servers.net) in 155 ms

 

cnn.com.172800  IN  NS  ns1.timewarner.net.

cnn.com.172800  IN  NS  ns3.timewarner.net.

cnn.com.172800  IN  NS  ns1.p42.dynect.net.