subject:"Name Resolution issue with one domain"

Re: Name Resolution issue with one domain

2012-03-22 Thread babu dheen

Dear All,

 Thanks alot for helpming to identify the exact problem. Now my problem has 
been solved once i chang the source port from 53 to empherial port.

Regards
Babudheen

 From: Matus UHLAR - fantomas 
To: bind-users@lists.isc.org 
Sent: Thursday, 22 March 2012 12:46 PM
Subject: Re: Name Resolution issue with one domain

> On 21/03/2012 09:41, Matus UHLAR - fantomas wrote:
>> maybe the admin set that up to force local servers using random ports,
>> instead of 53, for outgoing requests. Nobody should use port 53 for
>> _ougtoing_ requests.

On 21.03.12 23:41, Anand Buddhdev wrote:
> You're wrong. A name server can use any source port from 1 up to 65535
> for an outgoing query, as long as that port is not in use by any other
> process on the system.

well, it _can_ but because ports < 1024 are undesrtood as privileged, it should 
not use them.

> In fact, up until Kaminsky's revelation, many BIND servers used a fixed
> source port of 53.

yes, but because of Kaminsky's revelation, servers should not use that port 
anymore.

While it's of up to the the admin of resolving server, it's possible that FW 
admin at dubai airport had reason to block ports>1024. 
Maybe they got attack from enabled chargen or echo UDP services from somewhere. 
We do not knot that. But we surely know that OP's nameservers use port 53 which 
they should not use...

-- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-22 Thread Matus UHLAR - fantomas


On 21/03/2012 09:41, Matus UHLAR - fantomas wrote:

maybe the admin set that up to force local servers using random ports,
instead of 53, for outgoing requests. Nobody should use port 53 for
_ougtoing_ requests.


On 21.03.12 23:41, Anand Buddhdev wrote:

You're wrong. A name server can use any source port from 1 up to 65535
for an outgoing query, as long as that port is not in use by any other
process on the system.


well, it _can_ but because ports < 1024 are undesrtood as privileged, 
it should not use them.



In fact, up until Kaminsky's revelation, many BIND servers used a fixed
source port of 53.


yes, but because of Kaminsky's revelation, servers should not use that 
port anymore.


While it's of up to the the admin of resolving server, it's possible 
that FW admin at dubai airport had reason to block ports>1024. 

Maybe they got attack from enabled chargen or echo UDP services from 
somewhere. We do not knot that. But we surely know that OP's 
nameservers use port 53 which they should not use...



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-21 Thread Mark Andrews


In message <040b89c8b1e1d945ae2700c511a039e915f...@atmexdb04.dsw.net>, "Lightne
r, Jeff" writes:
> I donât think the target is blocking as I get the following:

Jeff, the servers *are* dropping packets sourced from port 53.  By
default dig uses a ephemeral port assigned by the system.  It doesn't
use port 53 as the nameserver uses that port.  If you want to test
you need to force the source port like I did below.  You may also
want to do a packet dump if you are running named on the machine
as the replies will go to named and not dig due to how the socket
code works.

By default, modern versions of named will use multiple ports.  BIND
9, by default, has alway use ephemeral ports rather than port 53
to make queries.  To make it use port 53 for queries you need to
configure it to do so in named.conf using query-source.

As for using port 53 to source queries, there are circumstances
where that is fine.  When you know or can reasonably expect that
the answers will be signed.  There is some risk that you will get
a spoofed response that will go undetected if this is not the case.
For most nameservers that risk is extremely low that you will be
targeted, however there are some cases where it isn't.

Mark

> dig www.dubaiairport.com
> 
> ; <<>> DiG 9.8.1 <<>> www.dubaiairport.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36668
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;www.dubaiairport.com.  IN  A
> 
> ;; ANSWER SECTION:
> www.dubaiairport.com.   7200IN  A   213.42.55.169
> 
> ;; AUTHORITY SECTION:
> dubaiairport.com.   172799  IN  NS  dcaowa01.dubaiairport.com.
> dubaiairport.com.   172799  IN  NS  svr-b003.dubaiairport.com.
> 
> ;; Query time: 337 msec
> ;; SERVER: 192.94.73.20#53(192.94.73.20)
> ;; WHEN: Wed Mar 21 19:25:08 2012
> ;; MSG SIZE  rcvd: 100
> 
> The point is your firewall should NOT block outbound queries for port 53 
> or other ports.   There is a well know cache poisoning attack based on 
> knowing the outbound (source) port that is going to be used so the port 
> should be randomized.   Port 53 MUST be accessible on the target DNS 
> server as that is the one that is going to answer the query.
> 
> 
> 
> 
> 
> 
> 
> From: bind-users-bounces+jlightner=water@lists.isc.org 
> [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf 
> Of babu dheen
> Sent: Wednesday, March 21, 2012 3:14 PM
> To: Matus UHLAR - fantomas; bind-users@lists.isc.org
> Subject: Re: Name Resolution issue with one domain
> 
> Dear All,
> 
> When i executed #dig www.dubaiairport.com<http://www.dubaiairport.com>, i 
> am getting bleow response
> 
> ; <<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com<http://www.dubaiairport.com>
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
>  When i checked the firewall logs, as you all confirmed, traffic is 
> leaving from both non standard and standard port. But firewall logs 
> clearly shows that traffic from source port =53 and its getting dropped. 
> But other DNS traffic towards various domains also going with source port 
> 53 for which we have no issue.
> 
>  Is this port restriction done at remote domain firewall?
>  Is there any way to enforce non standard port for this domain query at 
> our BIND level from our side?
> 
> 
> Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 
> policy_id=20 service=dns proto=17 src zone=Inter-Connect dst 
> zone=External action=Permit sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 
> src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated 
> ip=213.42.52.75 port=53 session_id=512159 reason=Close - AGE OUT
> 
> Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24 
> service=dns proto=17 src zone=Inter-Connect dst zone=External 
> action=Permit sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 
> dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75  
> port=53 session_id=451904 reason=Close - AGE OUT
> 
> Regards
> Babu
> 
> From: Matus UHLAR - fantomas 
> To: bind-users@lists.isc.org
> Sent: Wednesday, 21 March 2012 11:41 AM
> Subject: Re: Name Resolution issue with one domain
> 
> On 21.03.12 09:23, Mark Andrews wrote:
> >Stupid firewall rules in front of the nameservers.  They block
> >traffic sent from port 53 which is the port lots of nameservers
> >used to send query traffic.  When will firewall administrators learn
> >that the source ports c

Re: Name Resolution issue with one domain

2012-03-21 Thread Anand Buddhdev

On 21/03/2012 09:41, Matus UHLAR - fantomas wrote:

> maybe the admin set that up to force local servers using random ports,
> instead of 53, for outgoing requests. Nobody should use port 53 for
> _ougtoing_ requests.

You're wrong. A name server can use any source port from 1 up to 65535
for an outgoing query, as long as that port is not in use by any other
process on the system.

In fact, up until Kaminsky's revelation, many BIND servers used a fixed
source port of 53.

>> bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>> 09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A?
>> www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>> 09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A?
>> www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>> 09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A?
>> www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>>
>> ; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com
>> @svr-b003.dubaiairport.com
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>> bsdi#

There appear to be firewalls in front of the name servers of
dubaiairport.com which drop all queries with a source port less than
1024. I just tried several queries with low-numbered source ports, and
they all failed until I got to 1024. Then they began replying to all my
queries.

Babu Dheen, if you're reading this, take note. The problem has been
identified. Find a contact at dubaiairport.com, and tell him to fix his
firewall.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Name Resolution issue with one domain

2012-03-21 Thread Lightner, Jeff

I don’t think the target is blocking as I get the following:

dig www.dubaiairport.com

; <<>> DiG 9.8.1 <<>> www.dubaiairport.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dubaiairport.com.  IN  A

;; ANSWER SECTION:
www.dubaiairport.com.   7200IN  A   213.42.55.169

;; AUTHORITY SECTION:
dubaiairport.com.   172799  IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   172799  IN  NS  svr-b003.dubaiairport.com.

;; Query time: 337 msec
;; SERVER: 192.94.73.20#53(192.94.73.20)
;; WHEN: Wed Mar 21 19:25:08 2012
;; MSG SIZE  rcvd: 100

The point is your firewall should NOT block outbound queries for port 53 or 
other ports.   There is a well know cache poisoning attack based on knowing the 
outbound (source) port that is going to be used so the port should be 
randomized.   Port 53 MUST be accessible on the target DNS server as that is 
the one that is going to answer the query.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of babu 
dheen
Sent: Wednesday, March 21, 2012 3:14 PM
To: Matus UHLAR - fantomas; bind-users@lists.isc.org
Subject: Re: Name Resolution issue with one domain

Dear All,

When i executed #dig www.dubaiairport.com<http://www.dubaiairport.com>, i am 
getting bleow response

; <<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com<http://www.dubaiairport.com>
;; global options:  printcmd
;; connection timed out; no servers could be reached

 When i checked the firewall logs, as you all confirmed, traffic is leaving 
from both non standard and standard port. But firewall logs clearly shows that 
traffic from source port =53 and its getting dropped. But other DNS traffic 
towards various domains also going with source port 53 for which we have no 
issue.

 Is this port restriction done at remote domain firewall?
 Is there any way to enforce non standard port for this domain query at our 
BIND level from our side?


Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 policy_id=20 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 
session_id=512159 reason=Close - AGE OUT

Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75  port=53 
session_id=451904 reason=Close - AGE OUT

Regards
Babu

From: Matus UHLAR - fantomas 
To: bind-users@lists.isc.org
Sent: Wednesday, 21 March 2012 11:41 AM
Subject: Re: Name Resolution issue with one domain

On 21.03.12 09:23, Mark Andrews wrote:
>Stupid firewall rules in front of the nameservers.  They block
>traffic sent from port 53 which is the port lots of nameservers
>used to send query traffic.  When will firewall administrators learn
>that the source ports can be anything, that they are not significant,
>and that blocking traffic based on the source port is stupid.

maybe the admin set that up to force local servers using random ports,
instead of 53, for outgoing requests. Nobody should use port 53 for
_ougtoing_ requests.

>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>
>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com 
>@svr-b003.dubaiairport.com
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>bsdi#

--
Matus UHLAR - fantomas, uh...@fantomas.sk<mailto:uh...@fantomas.sk> ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer

Re: Name Resolution issue with one domain

2012-03-21 Thread babu dheen

Dear All,
 
When i executed #dig www.dubaiairport.com, i am getting bleow response 
 ;<<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com
;; global options:  printcmd
;; connection timed out; no servers could be reached
 
 When i checked the firewall logs, as you all confirmed, traffic is leaving 
from both non standard and standard port. But firewall logs clearly shows that 
traffic from source port =53 and its getting dropped. But other DNS traffic 
towards various domains also going with source port 53 for which we have no 
issue.
 
 Is this port restriction done at remote domain firewall?
 Is there any way to enforce non standard port for this domain query at our 
BIND level from our side?
 
 
Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 policy_id=20 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 
session_id=512159 reason=Close - AGE OUT
 
Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75  port=53 
session_id=451904 reason=Close - AGE OUT

Regards
Babu



From: Matus UHLAR - fantomas 
To: bind-users@lists.isc.org 
Sent: Wednesday, 21 March 2012 11:41 AM
Subject: Re: Name Resolution issue with one domain

On 21.03.12 09:23, Mark Andrews wrote:
>Stupid firewall rules in front of the nameservers.  They block
>traffic sent from port 53 which is the port lots of nameservers
>used to send query traffic.  When will firewall administrators learn
>that the source ports can be anything, that they are not significant,
>and that blocking traffic based on the source port is stupid.

maybe the admin set that up to force local servers using random ports, 
instead of 53, for outgoing requests. Nobody should use port 53 for 
_ougtoing_ requests.

>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>
>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com 
>@svr-b003.dubaiairport.com
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>bsdi#

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-21 Thread Matus UHLAR - fantomas


On 21.03.12 09:23, Mark Andrews wrote:

Stupid firewall rules in front of the nameservers.  They block
traffic sent from port 53 which is the port lots of nameservers
used to send query traffic.  When will firewall administrators learn
that the source ports can be anything, that they are not significant,
and that blocking traffic based on the source port is stupid.


maybe the admin set that up to force local servers using random ports, 
instead of 53, for outgoing requests. Nobody should use port 53 for 
_ougtoing_ requests.



bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)

; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com 
@svr-b003.dubaiairport.com
;; global options: +cmd
;; connection timed out; no servers could be reached
bsdi#


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-20 Thread Eliezer Croitoru


On 21/03/2012 00:23, Mark Andrews wrote:

dig -b 0.0.0.0#53www.dubaiairport.com  @svr-b003.dubaiairport.com

well i do hope they will change it cause it's really a pain to see that.
glad the mystery was found.

Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
elilezer  ngtech.co.il
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-20 Thread Mark Andrews


Stupid firewall rules in front of the nameservers.  They block
traffic sent from port 53 which is the port lots of nameservers
used to send query traffic.  When will firewall administrators learn
that the source ports can be anything, that they are not significant,
and that blocking traffic based on the source port is stupid.

Mark

bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
www.dubaiairport.com. ar: OPT UDPsize=4096 (49)

; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com 
@svr-b003.dubaiairport.com
;; global options: +cmd
;; connection timed out; no servers could be reached
bsdi# 


In message <4f68fe29.6060...@ngtech.co.il>, Eliezer Croitoru writes:
> On 20/03/2012 21:48, babu dheen wrote:
> > Dear Anad,
> >
> > Thanks for the advise. Will follow these guidelines in future for sure.
> > Kindly let me know how can i fix this problem?
> >
> > If its related remote domain NS issue, i shouldn't be able to resolve
> > the domain from anywhere continously. But i am able to resolve it from
> > internet without any issue. Problem is with only from our company BIND
> > DNS server only.
> > Below is the BIND GW Logs:
> > client 10.1.1.3#63581: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN A +E
> > client 10.1.1.3#63836: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN A +
> > client 10.1.1.3#62249: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN A +E
> > client 10.1.1.3#64215: view localhost_resolver: query:
> > www.dubaiairport.com <http://www.dubaiairport.com/> IN  +
> > Below is the sniffer logs:
> > 3.351081 10.0.0.1 --> 213.42.52.75 DNS Standard Query A
> > www.dubaiairport.com <http://www.dubaiairport.com/>
> > 10.761810 10.0.0.2 --> 213.42.75.79 DNS Standard Query A
> > www.dubaiairport.com <http://www.dubaiairport.com/>
> > Above sniffer logs clearly shows that we are not getting response packet
> > from www.dubaiairport.com <http://www.dubaiairport.com/> NS.
> > Regards
> > Babudheen
> >
> 
> if i do understand this dns 213.42.52.75 is your dns server?
> can you try localy (on the dns server) do a dig/nslookup/host?
> it can be routing issue also.
> 
> Regards,
> Eliezer
> 
> > 
> > *From:* Anand Buddhdev 
> > *To:* babu dheen 
> > *Cc:* Bind Users Mailing List 
> > *Sent:* Monday, 19 March 2012 11:47 PM
> > *Subject:* Re: Name Resolution issue with one domain
> >
> > On 19/03/2012 21:28, babu dheen wrote:
> >
> > Babu,
> >
> >  > Dear Support,
> >  >
> >  > I am trying to resolve www.dubaiairport.com from my GW BIND server
> >  > as below. But not getting any output
> >  >
> >  > $ dig A www.dubaiairport.com
> >  > ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
> >  > ;; global options: printcmd
> >  > ;; connection timed out; no servers could be reached
> >  >
> >  >
> >  > Whereas, when i try through dubaiairport.com NS, i am getting the
> >  > response as below. What could be the problem. Any idea?
> >
> > It could be any number of things, and your vague question doesn't
> > provide any useful information for anyone to even begin guessing at the
> > problem. First of all, learn how to ask smart questions:
> >
> > http://www.catb.org/~esr/faqs/smart-questions.html
> > <http://www.catb.org/%7Eesr/faqs/smart-questions.html>
> >
> > Next, try looking at the logs of your BIND server; perhaps it has logged
> > the reason for this resolution failure.
> >
> > Regards,
> >
> > Anand Buddhdev
> > RIPE NCC
> >
> >
> >
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> -- 
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> elilezer  ngtech.co.il
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-20 Thread Eliezer Croitoru

On 20/03/2012 21:48, babu dheen wrote:

Dear Anad,

Thanks for the advise. Will follow these guidelines in future for sure.
Kindly let me know how can i fix this problem?

If its related remote domain NS issue, i shouldn't be able to resolve
the domain from anywhere continously. But i am able to resolve it from
internet without any issue. Problem is with only from our company BIND
DNS server only.
Below is the BIND GW Logs:
client 10.1.1.3#63581: view localhost_resolver: query:
www.dubaiairport.com <http://www.dubaiairport.com/> IN A +E
client 10.1.1.3#63836: view localhost_resolver: query:
www.dubaiairport.com <http://www.dubaiairport.com/> IN A +
client 10.1.1.3#62249: view localhost_resolver: query:
www.dubaiairport.com <http://www.dubaiairport.com/> IN A +E
client 10.1.1.3#64215: view localhost_resolver: query:
www.dubaiairport.com <http://www.dubaiairport.com/> IN  +
Below is the sniffer logs:
3.351081 10.0.0.1 --> 213.42.52.75 DNS Standard Query A
www.dubaiairport.com <http://www.dubaiairport.com/>
10.761810 10.0.0.2 --> 213.42.75.79 DNS Standard Query A
www.dubaiairport.com <http://www.dubaiairport.com/>
Above sniffer logs clearly shows that we are not getting response packet
from www.dubaiairport.com <http://www.dubaiairport.com/> NS.
Regards
Babudheen

if i do understand this dns 213.42.52.75 is your dns server?
can you try localy (on the dns server) do a dig/nslookup/host?
it can be routing issue also.

Regards,
Eliezer

*From:* Anand Buddhdev 
*To:* babu dheen 
*Cc:* Bind Users Mailing List 
*Sent:* Monday, 19 March 2012 11:47 PM
*Subject:* Re: Name Resolution issue with one domain

On 19/03/2012 21:28, babu dheen wrote:

Babu,

 > Dear Support,
 >
 > I am trying to resolve www.dubaiairport.com from my GW BIND server
 > as below. But not getting any output
 >
 > $ dig A www.dubaiairport.com
 > ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
 > ;; global options: printcmd
 > ;; connection timed out; no servers could be reached
 >
 >
 > Whereas, when i try through dubaiairport.com NS, i am getting the
 > response as below. What could be the problem. Any idea?

It could be any number of things, and your vague question doesn't
provide any useful information for anyone to even begin guessing at the
problem. First of all, learn how to ask smart questions:

http://www.catb.org/~esr/faqs/smart-questions.html
<http://www.catb.org/%7Eesr/faqs/smart-questions.html>

Next, try looking at the logs of your BIND server; perhaps it has logged
the reason for this resolution failure.

Regards,

Anand Buddhdev
RIPE NCC

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
elilezer  ngtech.co.il
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-20 Thread babu dheen

Dear Anad,

Thanks for the advise. Will follow these guidelines in future for sure. Kindly 
let me know how can i fix this problem?

 If its related remote domain NS issue, i shouldn't be able 
to resolve the domain from anywhere continously. But i am able to 
resolve it from internet without any issue. Problem is with only from 
our company BIND DNS server only.

Below is the BIND GW Logs:

client 10.1.1.3#63581: view localhost_resolver: query: www.dubaiairport.com IN 
A +E
client 10.1.1.3#63836: view localhost_resolver: query: www.dubaiairport.com IN 
A +
client 10.1.1.3#62249: view localhost_resolver: query: www.dubaiairport.com IN 
A +E
client
 10.1.1.3#64215: view localhost_resolver: query: www.dubaiairport.com IN  +

Below is the sniffer logs:

3.351081 10.0.0.1  --> 213.42.52.75 DNS Standard Query A www.dubaiairport.com
10.761810 10.0.0.2 --> 213.42.75.79 DNS Standard Query A www.dubaiairport.com

Above sniffer logs clearly shows that we are not getting response packet from 
www.dubaiairport.com NS.

Regards
Babudheen

 From: Anand Buddhdev 
To: babu dheen  
Cc: Bind Users Mailing List  
Sent: Monday, 19 March 2012 11:47 PM
Subject: Re: Name Resolution issue with one domain

On 19/03/2012 21:28, babu dheen wrote:

Babu,

> Dear Support,
>  
> I am trying to resolve www.dubaiairport.com from my GW BIND server
> as below. But not getting any output
>  
>  $ dig A www.dubaiairport.com
> ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
>  
> Whereas, when i try through dubaiairport.com NS, i am getting the
> response as below. What could be the problem. Any idea?

It could be any number of things, and your vague question doesn't
provide any useful information for anyone to even begin guessing at the
problem. First of all, learn how to ask smart questions:

http://www.catb.org/~esr/faqs/smart-questions.html

Next, try looking at the logs of your BIND server; perhaps it has logged
the reason for this resolution failure.

Regards,

Anand Buddhdev
RIPE NCC___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-20 Thread babu dheen

Dear Michael,

 If its related remote domain NS issue, i shouldn't be able to resolve the 
domain from anywhere continously. But i am able to resolve it from internet 
without any issue. Problem is with only from our company BIND DNS server only.

Below is the BIND GW Logs:

client 10.1.1.3#63581: view localhost_resolver: query: www.dubaiairport.com IN 
A +E
client 10.1.1.3#63836: view localhost_resolver: query: www.dubaiairport.com IN 
A +
client 10.1.1.3#62249: view localhost_resolver: query: www.dubaiairport.com IN 
A +E
client 10.1.1.3#64215: view localhost_resolver: query: www.dubaiairport.com IN 
 +

Below is the sniffer logs:

3.351081 10.0.0.1  --> 213.42.52.75 DNS Standard Query A www.dubaiairport.com
10.761810 10.0.0.2 --> 213.42.75.79 DNS Standard Query A www.dubaiairport.com

Above sniffer logs clearly shows that we are not getting response packet from 
www.dubaiairport.com NS.

Regards
Papdheen M

 From: Michael Sinatra 
To: babu dheen  
Cc: Bind Users Mailing List  
Sent: Monday, 19 March 2012 11:43 PM
Subject: Re: Name Resolution issue with one domain

On 03/19/12 13:28, babu dheen wrote:
> Dear Support,
> I am trying to resolve www.dubaiairport.com
> <http://www.dubaiairport.com> from my GW BIND server as below. But not
> getting any output
> $ dig A www.dubaiairport.com <http://www.dubaiairport.com>
> ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
> <http://www.dubaiairport.com>
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
> Whereas, when i try through dubaiairport.com NS, i am getting the
> response as below. What could be the problem. Any idea?
> $ dig @213.42.52.79 A www.dubaiairport.com <http://www.dubaiairport.com>
> ; <<>> DiG 9.3.4-P1 <<>> @213.42.52.79 A www.dubaiairport.com
> <http://www.dubaiairport.com>
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48514
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;www.dubaiairport.com. IN A
> ;; ANSWER SECTION:
> www.dubaiairport.com <http://www.dubaiairport.com>. 7200 IN A 213.42.55.169
> ;; Query time: 127 msec
> ;; SERVER: 213.42.52.79#53(213.42.52.79)
> ;; WHEN: Mon Mar 19 23:25:35 2012
> ;; MSG SIZE rcvd: 54

When you see this sort of situation, a good guess is that there is an authority 
mismatch and some/all of the authoritative NS records listed in the child zone 
are not responding.  In this case, there is an authority mismatch:

dig +trace ns dubaiairport.com

[skip root response]

dubaiairport.com.       172800  IN      NS      dcaowa01.dubaiairport.com.
dubaiairport.com.       172800  IN      NS      svr-b003.dubaiairport.com.
[RRSIG deleted]
;; Received 608 bytes from 192.12.94.30#53(192.12.94.30) in 724 ms

dubaiairport.com.       7200    IN      NS      secdns.dubaiairport.com.
dubaiairport.com.       7200    IN      NS      auhans2.ecompany.ae.
dubaiairport.com.       7200    IN      NS      dxbans2.ecompany.ae.
dubaiairport.com.       7200    IN      NS      dxbans1.ecompany.ae.
dubaiairport.com.       7200    IN      NS      dcaowa01.dubaiairport.com.
dubaiairport.com.       7200    IN      NS      auhans1.ecompany.ae.
dubaiairport.com.       7200    IN      NS      svr-b003.dubaiairport.com.
;; Received 323 bytes from 213.42.52.79#53(213.42.52.79) in 279 ms

One of the above DNS servers, secdns.dubaiairport.com, isn't responding for 
me.  Sometimes that's enough to cause intermittent timeouts for dig.

dig +nssearch dubaiairport.com
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 
7200 from server 213.42.52.79 in 278 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 
7200 from server 195.229.237.52 in 278 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 
7200 from server 194.170.1.99 in 282 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 
7200 from server 213.42.52.75 in 288 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 
7200 from server 194.170.1.6 in 289 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 
7200 from server 194.170.1.7 in 293 ms.
;; connection timed out; no servers could be reached [referring to 
secdns.dubaiairport.com]

michael___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-19 Thread Anand Buddhdev

On 19/03/2012 21:28, babu dheen wrote:

Babu,

> Dear Support,
>  
> I am trying to resolve www.dubaiairport.com from my GW BIND server
> as below. But not getting any output
>  
>  $ dig A www.dubaiairport.com
> ; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
>  
> Whereas, when i try through dubaiairport.com NS, i am getting the
> response as below. What could be the problem. Any idea?

It could be any number of things, and your vague question doesn't
provide any useful information for anyone to even begin guessing at the
problem. First of all, learn how to ask smart questions:

http://www.catb.org/~esr/faqs/smart-questions.html

Next, try looking at the logs of your BIND server; perhaps it has logged
the reason for this resolution failure.

Regards,

Anand Buddhdev
RIPE NCC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

2012-03-19 Thread Michael Sinatra


On 03/19/12 13:28, babu dheen wrote:

Dear Support,
I am trying to resolve www.dubaiairport.com
 from my GW BIND server as below. But not
getting any output
$ dig A www.dubaiairport.com 
; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com

;; global options: printcmd
;; connection timed out; no servers could be reached
Whereas, when i try through dubaiairport.com NS, i am getting the
response as below. What could be the problem. Any idea?
$ dig @213.42.52.79 A www.dubaiairport.com 
; <<>> DiG 9.3.4-P1 <<>> @213.42.52.79 A www.dubaiairport.com

; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48514
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.dubaiairport.com. IN A
;; ANSWER SECTION:
www.dubaiairport.com . 7200 IN A 213.42.55.169
;; Query time: 127 msec
;; SERVER: 213.42.52.79#53(213.42.52.79)
;; WHEN: Mon Mar 19 23:25:35 2012
;; MSG SIZE rcvd: 54


When you see this sort of situation, a good guess is that there is an 
authority mismatch and some/all of the authoritative NS records listed 
in the child zone are not responding.  In this case, there is an 
authority mismatch:


dig +trace ns dubaiairport.com

[skip root response]

dubaiairport.com.   172800  IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   172800  IN  NS  svr-b003.dubaiairport.com.
[RRSIG deleted]
;; Received 608 bytes from 192.12.94.30#53(192.12.94.30) in 724 ms

dubaiairport.com.   7200IN  NS  secdns.dubaiairport.com.
dubaiairport.com.   7200IN  NS  auhans2.ecompany.ae.
dubaiairport.com.   7200IN  NS  dxbans2.ecompany.ae.
dubaiairport.com.   7200IN  NS  dxbans1.ecompany.ae.
dubaiairport.com.   7200IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   7200IN  NS  auhans1.ecompany.ae.
dubaiairport.com.   7200IN  NS  svr-b003.dubaiairport.com.
;; Received 323 bytes from 213.42.52.79#53(213.42.52.79) in 279 ms

One of the above DNS servers, secdns.dubaiairport.com, isn't responding 
for me.  Sometimes that's enough to cause intermittent timeouts for dig.


dig +nssearch dubaiairport.com
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 213.42.52.79 in 278 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 195.229.237.52 in 278 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 194.170.1.99 in 282 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 213.42.52.75 in 288 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 194.170.1.6 in 289 ms.
SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 
86400 7200 from server 194.170.1.7 in 293 ms.
;; connection timed out; no servers could be reached [referring to 
secdns.dubaiairport.com]


michael



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Name Resolution issue with one domain

2012-03-19 Thread babu dheen

Dear Support,
 
 I am trying to resolve www.dubaiairport.com from my GW BIND server as below. 
But not getting any output
 
 $ dig A www.dubaiairport.com
; <<>> DiG 9.3.4-P1 <<>> A www.dubaiairport.com
;; global options:  printcmd
;; connection timed out; no servers could be reached

 
Whereas, when i try through dubaiairport.com NS, i am getting the response as 
below. What could be the problem. Any idea?
 
$ dig @213.42.52.79 A www.dubaiairport.com
; <<>> DiG 9.3.4-P1 <<>> @213.42.52.79 A www.dubaiairport.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48514
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.dubaiairport.com.  IN  A
;; ANSWER SECTION:
www.dubaiairport.com.   7200    IN  A   213.42.55.169
;; Query time: 127 msec
;; SERVER: 213.42.52.79#53(213.42.52.79)
;; WHEN: Mon Mar 19 23:25:35 2012
;; MSG SIZE  rcvd: 54
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

RE: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Re: Name Resolution issue with one domain

Name Resolution issue with one domain

15 matches

Site Navigation

Mail list logo

Footer information