Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Michael Monnerie 
On Montag 21 September 2009 Shi Jin wrote:
> However, it looks to me like the ISP provided DNS server
> (216.171.238.66) was not able to resolve any of the names and all the
> resolving is done at the top level servers. Is my understanding
> correct?

Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you got a wrong IP 
there? Try the same for .67, the other DNS.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Shi Jin 
> Try
> dig @216.171.238.66 hp.com
> to see if the .66 host answers to your queries. Maybe you
> got a wrong IP 
> there? Try the same for .67, the other DNS.
> 

Thank you very much.  I tried what you suggested and it seems that these two 
servers work perfectly. In fact, I can simply set my DNS to these two servers 
and have the internet names resolved without any problem. The only reason I run 
my own DNS server is to resolve the intranet names.


~$ dig @216.171.238.66 hp.com

; <<>> DiG 9.5.1-P2 <<>> @216.171.238.66 hp.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47923
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;hp.com.IN  A

;; ANSWER SECTION:
hp.com. 574 IN  A   15.216.110.140
hp.com. 574 IN  A   15.192.45.21
hp.com. 574 IN  A   15.192.45.22
hp.com. 574 IN  A   15.192.45.138
hp.com. 574 IN  A   15.192.45.139
hp.com. 574 IN  A   15.216.110.21
hp.com. 574 IN  A   15.200.2.21
hp.com. 574 IN  A   15.200.30.21
hp.com. 574 IN  A   15.200.30.22
hp.com. 574 IN  A   15.200.30.23
hp.com. 574 IN  A   15.200.30.24
hp.com. 574 IN  A   15.216.110.22
hp.com. 574 IN  A   15.216.110.139

;; AUTHORITY SECTION:
hp.com. 86374   IN  NS  ns6.hp.com.
hp.com. 86374   IN  NS  ns3.hp.com.
hp.com. 86374   IN  NS  ns4.hp.com.
hp.com. 86374   IN  NS  ns1.hp.com.
hp.com. 86374   IN  NS  ns5.hp.com.
hp.com. 86374   IN  NS  ns2.hp.com.

;; ADDITIONAL SECTION:
ns6.hp.com. 43600   IN  A   15.195.208.12
ns1.hp.com. 43600   IN  A   15.219.145.12
ns2.hp.com. 43600   IN  A   15.219.160.12
ns3.hp.com. 43600   IN  A   15.203.209.12
ns4.hp.com. 43600   IN  A   15.203.224.14
ns5.hp.com. 43600   IN  A   15.195.192.37

;; Query time: 2 msec
;; SERVER: 216.171.238.66#53(216.171.238.66)
;; WHEN: Mon Sep 21 14:59:25 2009
;; MSG SIZE  rcvd: 436


Can you see any problem there?
Thanks a lot.

Shi
--





  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Doug Barton 
Shi Jin wrote:
> Hi there,
> 
> I've setup a DNS server running bind9 in my LAN and set it up to ISP provided 
> DNS servers as the forwarders. Currently this DNS server works in the sense 
> both internal and external names are resolved without any problem. However, 
> for each DNS query, the syslog shows entries of 
> 
> dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN': 
> 216.171.238.66#53
> Where the IP 216.171.238.66 is the ISP provided DNS server. 

"host unreachable" is one of the clearer error messages, so you need
to do some digging. From the box that you've set up bind9 on you'll
need to use dig to query the ISP's name servers. If that works, then
you'll have to use tcpdump on that box to find out what named is doing.

You might also consider posting your entire named.conf file, and let
us know of any command line arguments you're using to start it with.
Also name and version number of your OS and exact version of named
wouldn't hurt.


Good luck,

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Shi Jin 

> "host unreachable" is one of the clearer error messages, so
> you need
> to do some digging. From the box that you've set up bind9
> on you'll
> need to use dig to query the ISP's name servers. If that
> works, then
> you'll have to use tcpdump on that box to find out what
> named is doing.
> 
> Doug
> 
Thank you very much.
Your suggestion to use "tcpdump" actually is very helpful. It clearly shows:
 ICMP host 216.171.238.67 unreachable - admin prohibited, length 87
So I think this most likely has to do with the firewall setup. Probably I 
should enable ICMP redirect? Could anyone confirm? And is this safe?

Thank you very much.
Shi


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Mark Andrews 

In message <865284.37771...@web36203.mail.mud.yahoo.com>, Shi Jin writes:
> 
> > "host unreachable" is one of the clearer error messages, so
> > you need
> > to do some digging. From the box that you've set up bind9
> > on you'll
> > need to use dig to query the ISP's name servers. If that
> > works, then
> > you'll have to use tcpdump on that box to find out what
> > named is doing.
> > 
> > Doug
> > 
> Thank you very much.
> Your suggestion to use "tcpdump" actually is very helpful. It clearly shows:
>  ICMP host 216.171.238.67 unreachable - admin prohibited, length 87

Yet you claim that dig to 216.171.238.67 works.  I think you need to provide
a full trace not the summary that a plain tcpdump gives.

Add  -Xvvv to the set of flags you used with tcpdump.

> So I think this most likely has to do with the firewall setup. Probably I 
> should enable ICMP redirect? Could anyone confirm? And
>  is this safe?
> 
> Thank you very much.
> Shi
> 
> 
>   
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Kevin Darcy 
1) Confirm whether you need to forward at all. If you don't need to, 
then remove the forwarders entries and that should take care of the 
errors in your log.
2) If you *must* use forwarders, look at the part of the config that you 
didn't show us, and determine whether there is something there (e.g. 
query-source address and/or port, "server" stanza with an inappropriate 
TSIG key or EDNS buffer size, etc.) that is causing your packets 
destined for 216.171.238.66 to be dropped or rejected, by the target 
server or some intermediate device in between.


- Kevin

Shi Jin wrote:

Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you
got a wrong IP 
there? Try the same for .67, the other DNS.





Thank you very much.  I tried what you suggested and it seems that these two 
servers work perfectly. In fact, I can simply set my DNS to these two servers 
and have the internet names resolved without any problem. The only reason I run 
my own DNS server is to resolve the intranet names.


~$ dig @216.171.238.66 hp.com

; <<>> DiG 9.5.1-P2 <<>> @216.171.238.66 hp.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47923
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;hp.com.IN  A

;; ANSWER SECTION:
hp.com. 574 IN  A   15.216.110.140
hp.com. 574 IN  A   15.192.45.21
hp.com. 574 IN  A   15.192.45.22
hp.com. 574 IN  A   15.192.45.138
hp.com. 574 IN  A   15.192.45.139
hp.com. 574 IN  A   15.216.110.21
hp.com. 574 IN  A   15.200.2.21
hp.com. 574 IN  A   15.200.30.21
hp.com. 574 IN  A   15.200.30.22
hp.com. 574 IN  A   15.200.30.23
hp.com. 574 IN  A   15.200.30.24
hp.com. 574 IN  A   15.216.110.22
hp.com. 574 IN  A   15.216.110.139

;; AUTHORITY SECTION:
hp.com. 86374   IN  NS  ns6.hp.com.
hp.com. 86374   IN  NS  ns3.hp.com.
hp.com. 86374   IN  NS  ns4.hp.com.
hp.com. 86374   IN  NS  ns1.hp.com.
hp.com. 86374   IN  NS  ns5.hp.com.
hp.com. 86374   IN  NS  ns2.hp.com.

;; ADDITIONAL SECTION:
ns6.hp.com. 43600   IN  A   15.195.208.12
ns1.hp.com. 43600   IN  A   15.219.145.12
ns2.hp.com. 43600   IN  A   15.219.160.12
ns3.hp.com. 43600   IN  A   15.203.209.12
ns4.hp.com. 43600   IN  A   15.203.224.14
ns5.hp.com. 43600   IN  A   15.195.192.37

;; Query time: 2 msec
;; SERVER: 216.171.238.66#53(216.171.238.66)
;; WHEN: Mon Sep 21 14:59:25 2009
;; MSG SIZE  rcvd: 436


Can you see any problem there?
Thanks a lot.

Shi
--





  
___

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Shi Jin 
Thank you all.
I've confirmed that the problem is firewall related. I've replaced my current 
Untangle firewall with a simplest Linux NAT iptables firewall and everything 
works perfectly, without any complains.

Thank you very much for your kind help/suggestions.

Shi


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-22 Thread Matus UHLAR - fantomas 
On 21.09.09 19:26, Shi Jin wrote:
> I've confirmed that the problem is firewall related. I've replaced my
> current Untangle firewall with a simplest Linux NAT iptables firewall and
> everything works perfectly, without any complains.

I'd say it was bad configuration, not necessarily a bad firewall. The
tcpdump would help us, unless you are satisfied with using linux iptables...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-22 Thread Barry Margolin 
In article ,
 Matus UHLAR - fantomas  wrote:

> On 21.09.09 19:26, Shi Jin wrote:
> > I've confirmed that the problem is firewall related. I've replaced my
> > current Untangle firewall with a simplest Linux NAT iptables firewall and
> > everything works perfectly, without any complains.
> 
> I'd say it was bad configuration, not necessarily a bad firewall. The
> tcpdump would help us, unless you are satisfied with using linux iptables...

Anyone want to bet that he has {query-source * port 53;} in his 
named.conf, and this is what the firewall was blocking?

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users