Re: BIND 9 and BIND 8 issue

2009-03-03 Thread Kevin Darcy
hangan.org.tw is delegated to www.hangan.org.tw and mail.hangan.org.tw, 
the glue records that are provided resolve both of those names to the 
address 211.21.92.25. I believe BIND 8 considers a glue record to be 
"good enough" to serve as an answer, so it returns the glue record. BIND 
9, however, is more diligent about trying to get a *better* answer 
directly from the authoritative servers.


I can't get any kind of response from the nameserver at 211.21.92.25, 
can anyone else (tried with both EDNS0 on and off)?


Having both delegated nameservers resolve to the same address is, of 
course, very bad architecture; it means you have a single point of 
failure for your entire domain. I'm somewhat surprised that the .tw 
registry even allows this.


- Kevin


bradonkuo wrote:

Dear all bind users,
I am new to manage 3 BIND 9 servers, lately, I got some complains 
about users cannot connect to
some websites while they use our BIND 9 servers, this issue will be 
solved if they use other
ISP's BIND 8 servers, one example is as below. Can we modify any 
configurations of BIND 9 server to

solve this issue so that users don't need to change anything?
Sincerly,
Bradon Kuo from Taiwan, Taipei,
> lserver 168.95.1.1
Default Server: dns.hinet.net
Address: 168.95.1.1
> www.hangan.org.tw 
Server: dns.hinet.net
Address: 168.95.1.1
Non-authoritative answer:
Name: www.hangan.org.tw 
Address: 211.21.92.25
> lserver 163.21.249.166
Default Server: dns.tp.edu.tw
Address: 163.21.249.166
> www.hangan.org.tw 
Server: dns.tp.edu.tw
Address: 163.21.249.166
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dns.tp.edu.tw timed-out
>
台北市教育網路中心 郭春吉
電話:2722-3004 傳真:2722-3574


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 and BIND 8 issue

2009-03-03 Thread Mark Andrews

In message <397019c15b5a45899bb02b1b212e1...@bradon>, "bradonkuo" writes:
> Dear all bind users,
> 
> I am new to manage 3 BIND 9 servers, lately, I got some complains about =
> users cannot connect to=20
> 
> some websites while they use our BIND 9 servers, this issue will be =
> solved if they use other
> 
> ISP's BIND 8 servers, one example is as below. Can we modify any =
> configurations of BIND 9 server to
> 
> solve this issue so that users don't need to change anything?
> 
> Sincerly,
> 
> Bradon Kuo from Taiwan, Taipei,
> 
> > lserver 168.95.1.1
> Default Server:  dns.hinet.net
> Address:  168.95.1.1
> 
> > www.hangan.org.tw
> Server:  dns.hinet.net
> Address:  168.95.1.1
> 
> Non-authoritative answer:
> Name:www.hangan.org.tw
> Address:  211.21.92.25
> 
> > lserver 163.21.249.166
> Default Server:  dns.tp.edu.tw
> Address:  163.21.249.166
> 
> > www.hangan.org.tw
> Server:  dns.tp.edu.tw
> Address:  163.21.249.166
> 
> DNS request timed out.
> timeout was 2 seconds.
> DNS request timed out.
> timeout was 2 seconds.
> *** Request to dns.tp.edu.tw timed-out
> >

Depending apon how old the BIND 8 server is it may be
promoting the glue below to answer.  I can't get any reponse
out of the nameserver itself.  tcpdump shows queries going
out and no responses coming back.  Either the nameserver
is dead or it is firewalled off.

Try asking for the mx record at both servers and see if you
get a response.  This requires the other ISP to query the
nameserver rather than rely on glue.

Mark

; <<>> DiG 9.7.0pre-alpha <<>> www.hangan.org.tw @c.twnic.net.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34204
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.hangan.org.tw. IN  A

;; AUTHORITY SECTION:
hangan.org.tw.  86400   IN  NS  www.hangan.org.tw.
hangan.org.tw.  86400   IN  NS  mail.hangan.org.tw.

;; ADDITIONAL SECTION:
www.hangan.org.tw.  86400   IN  A   211.21.92.25
mail.hangan.org.tw. 86400   IN  A   211.21.92.25

;; Query time: 359 msec
;; SERVER: 168.95.192.10#53(168.95.192.10)
;; WHEN: Wed Mar  4 07:36:47 2009
;; MSG SIZE  rcvd: 100



; <<>> DiG 9.3.6-P1 <<>> www.hangan.org.tw @211.21.92.25
;; global options:  printcmd
;; connection timed out; no servers could be reached


07:38:43.523517 211.30.172.21.62657 > 211.21.92.25.53:  27058+ A? 
www.hangan.org.tw. (35)
07:38:48.543936 211.30.172.21.62657 > 211.21.92.25.53:  27058+ A? 
www.hangan.org.tw. (35)
07:38:53.566828 211.30.172.21.62657 > 211.21.92.25.53:  27058+ A? 
www.hangan.org.tw. (35)

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: BIND 9 and BIND 8 issue

2009-03-03 Thread Ben Bridges
Since you're not getting any response from your server (I'm assumimg 
dns.tp.edu.tw is your server), you might want to check and make sure there are 
no firewalls or ACL's blocking dns requests to your name servers.
 




From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of bradonkuo
Sent: Thursday, February 26, 2009 9:40 PM
To: bind-users@lists.isc.org
Cc: bradonkuo
Subject: BIND 9 and BIND 8 issue


Dear all bind users,
 
I am new to manage 3 BIND 9 servers, lately, I got some complains about 
users cannot connect to 
 
some websites while they use our BIND 9 servers, this issue will be 
solved if they use other
 
ISP's BIND 8 servers, one example is as below. Can we modify any 
configurations of BIND 9 server to
 
solve this issue so that users don't need to change anything?
 
Sincerly,
 
Bradon Kuo from Taiwan, Taipei,
 
> lserver 168.95.1.1
Default Server:  dns.hinet.net
Address:  168.95.1.1
 
> www.hangan.org.tw
Server:  dns.hinet.net
Address:  168.95.1.1
 
Non-authoritative answer:
Name:www.hangan.org.tw
Address:  211.21.92.25
 
> lserver 163.21.249.166
Default Server:  dns.tp.edu.tw
Address:  163.21.249.166
 
> www.hangan.org.tw
Server:  dns.tp.edu.tw
Address:  163.21.249.166
 
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dns.tp.edu.tw timed-out
>
 
台北市教育網路中心 郭春吉
電話:2722-3004 傳真:2722-3574

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9 and BIND 8 issue

2009-03-03 Thread Stefan Schmidt
On Fri, Feb 27, 2009 at 11:39:40AM +0800, bradonkuo wrote:
> Dear all bind users,

Hi Brandon,

> I am new to manage 3 BIND 9 servers, lately, I got some complains about users 
> cannot connect to 
> some websites while they use our BIND 9 servers, this issue will be solved if 
> they use other
> ISP's BIND 8 servers, one example is as below. Can we modify any 
> configurations of BIND 9 server to
> solve this issue so that users don't need to change anything?

I can only take wild guesses here as i don't know about the
configuration of your BIND9 servers but let me assure you that you won't
need to downgrade to BIND8 in order to provide recursive DNS to your
users, BIND9 is totally capable of that but there has been a change in
the default configuration meaning that it no longer does allow recursive
queries by default. You would have to enable that in your configuration
via the following statements:
options {
recursion yes;
allow-query {
0.0.0.0/0;
# is most likely what you want here
# as per its name your server
# looks very much like its also an authoritative
# nameserver.
};
allow-recursion {
192.168.0.0/16;
# or substitute/add this by the network ranges your
# institution uses for its clients
}
};

Please let me stress on some things:
- It is best current practice to separate your recursive Nameservice
  from your authoritative Nameservice, its just more tidy and sane. [1]
  So what you really _should_ do is urge your users to use a separate
  recursive [3] DNS Server you provide them with instead of your
  authoritative. [4]
- BIND8 is deprecated and _should_ be rolled out of production wherever
  possible. [2]

[1] http://cr.yp.to/djbdns/separation.html
[2] https://www.isc.org/software/bind/security
[3] http://en.wikipedia.org/wiki/Domain_name_system#DNS_resolvers
[4] http://en.wikipedia.org/wiki/Name_server#Authoritative_name_server

Stefan
-- 
printk(CARDNAME": Bad Craziness - sent packet while busy.\n" );
linux-2.6.6/drivers/net/smc9194.c
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users