Re: DNS not resolving on google, but is on other services

[@lbutlr]

On Feb 17, 2018, at 06:04, Reindl Harald  wrote:
> "Is google just b0rked?" is mostly wrong to start with

As I said, that seems unlikely. But the different behavior from multiple large 
DNS services was odd.

> Delegation
> 
> Failed to find name servers of david-dodge.com/IN.

I may have been mucking with it then. Everything returns correct now except 
that the serial numbers don’t match on one server because the delegation has 
failed to sync. I’ll see if it clears on its own.

-- 
This is my signature. There are many like it, but this one is mine.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving on google, but is on other services

[@lbutlr]

On 2018-02-17 (02:48 MST), Niall O'Reilly  wrote:
> 
> In my not-very-extensive experience, Google's 8.8.8.8 service seems to have 
> limited tolerance of badly-behaving authority servers; in such a case, it 
> seems to give up early and report SERVFAIL.
> 
> As it happens, there seem to be problems with the set of authority servers 
> involved.
> 
> You'll find more information at https://zonemaster.fr/test/932ded6946bfebb4 .

Thank you for that, I got the missing server up and running and it all checks 
out now (Well, other than my servers are in the same IP block, which I cannot 
do anything about).

I've never heard of zonemaster.fr before, so I've added it to my bookmarks.

-- 
"His mother should have thrown him away and kept the stork." - Mae West

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving on google, but is on other services

[G.W. Haywood via bind-users]

Hi there,

On Sat, 17 Feb 2018, LuKreme wrote:


... Is google just b0rked? ...


You might need to look closer to home.

You claim three nameservers, but it appears that they're all on the
same network segment - a *really* bad idea - and one of them doesn't
respond to DNS requests, using IPs located both here in the UK and
way over in the western USA:

8<--
laptop3:~$ >>> dig www.david-dodge.com
[snip]
;; ANSWER SECTION:
www.david-dodge.com.86349   IN  CNAME   www.covisp.net.
www.covisp.net. 86361   IN  A   65.121.55.45
;; AUTHORITY SECTION:
covisp.net. 172119  IN  NS  ns2.covisp.net.
covisp.net. 172119  IN  NS  ns3.covisp.net.
covisp.net. 172119  IN  NS  ns1.covisp.net.
[snip]
8<--
laptop3:~$ >>> dig @ns1.covisp.net -t any covisp.net
[snip]
;; ANSWER SECTION:
covisp.net. 86400   IN  SOA ns1.covisp.net. 
root.covisp.net. 2018020300 14400 1800 1209600 3600
covisp.net. 172800  IN  NS  ns1.covisp.net.
covisp.net. 172800  IN  NS  ns2.covisp.net.
covisp.net. 172800  IN  NS  ns3.covisp.net.
covisp.net. 172800  IN  MX  10 mail.covisp.net.
covisp.net. 86400   IN  TXT "v=spf1 mx a ip4:65.121.55.42/32 
-all"
covisp.net. 86400   IN  TXT 
"google-site-verification=6rB9Dkgu8_hfTbLiieRTAkvFitENOvyszmzoAu1N27U"
covisp.net. 86400   IN  A   65.121.55.42
;; ADDITIONAL SECTION:
ns1.covisp.net. 172800  IN  A   65.121.55.42
ns2.covisp.net. 172800  IN  A   65.121.55.43
ns3.covisp.net. 172800  IN  A   65.121.55.45
mail.covisp.net.172800  IN  A   65.121.55.42
[snip]
8<--
laptop3:~$ >>> dig @ns3.covisp.net -t any covisp.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns3.covisp.net -t any covisp.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
8<--

However ns3 responds to 'ping'
8<--
laptop3:~$ >>> ping ns3.covisp.net
PING ns3.covisp.net (65.121.55.45) 56(84) bytes of data.
64 bytes from www.covisp.net (65.121.55.45): icmp_seq=1 ttl=49 time=141 ms
64 bytes from www.covisp.net (65.121.55.45): icmp_seq=2 ttl=49 time=141 ms
64 bytes from www.covisp.net (65.121.55.45): icmp_seq=3 ttl=49 time=141 ms
...
8<--

Maybe the nameserver just isn't running?

Perhaps you should look into one of the free DNS slave services.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving on google, but is on other services

[Niall O'Reilly]

On 16 Feb 2018, at 23:23, LuKreme wrote:

> Is google just b0rked? (Seems unlikely) or is there something in the 
> configuration for the dns that they don't like?

In my not-very-extensive experience, Google's 8.8.8.8 service seems to have 
limited tolerance of badly-behaving authority servers; in such a case, it seems 
to give up early and report SERVFAIL.

As it happens, there seem to be problems with the set of authority servers 
involved.

You'll find more information at https://zonemaster.fr/test/932ded6946bfebb4 .

Best regards,
Niall O'Reilly




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS not resolving on google, but is on other services

[LuKreme]

I have a domain that I host for a friend that he is not able to access 
suddenly. We thought it was SSL related, but after gettting more information 
his work computers are not getting an IP address (he can access it from home).  
I checked quadnines, openDNS, and google dns. The first two responded with the 
right IP and google timed out.

OpenDNS 208.67.222.222 and 9.9.9.9 both respond:
;; ANSWER SECTION:
www.david-dodge.com.86400   IN  CNAME   www.covisp.net.
www.covisp.net. 86400   IN  A   65.121.55.45

But googles 8.8.8.8 doesn't:

;; QUESTION SECTION:
;www.david-dodge.com.   IN  A

;; Query time: 5003 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 16 15:27:10 MST 2018
;; MSG SIZE  rcvd: 48

Is google just b0rked? (Seems unlikely) or is there something in the 
configuration for the dns that they don't like?

-- 
ADVANCE TO THE REAR!


-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving for a particular domain only

[Mark Andrews]

In message <93595848.2099571.1503336849...@mail.yahoo.com>, U Zee writes:
> Thanks Mark,
> So mysteriously the problem is now gone and I have no idea how, I know
> that I didn't change anything.
> While investigating, I tried looking but didn't get anything in packet
> capture on the recursive server, I think mainly because I had to grep for
> something otherwise there was just too much traffic. So its possible, my
> grep for lenovo didn't show related packets But I will never know now 

A single missing routing entry could have taken the site down.  The
delegation for lnvcdn.net only has 2 of the 4 nameservers listed
and those 2 are in the same /24.  There is a reason that it is
recommended that there are multiple nameservers which are geographically
and topologically dispersed are used and that both sides of the
delegation have consistent NS and address records.  It reduces the
probability that single faults cause failures like this.

Mark

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7439
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lnvcdn.net.IN  NS

;; AUTHORITY SECTION:
lnvcdn.net. 172800  IN  NS  ns1.lnvcdn.net.
lnvcdn.net. 172800  IN  NS  ns2.lnvcdn.net.
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - 
A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B  NS SOA RRSIG DNSKEY NSEC3PARAM
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 
20170825051539 20170818040539 57899 net. 
ZbkC2I24NO+y91E+sPWOADqbjsVpHfuFhnox5QfeuImFsL2z0x3X+UG6 
Lt9emQ23VFesgs8+J1WQVjHHBuhvc1XdWG7jBpv3Tr776oBcSF5rrqMp 
zC5CjRIzOlojSVpNG3snkW0xfijBuOl51RzaKrSqKb2x/tcXWUWkHpDw ga8=
2K5T76ECDUK1RJEDVHKHNL0LCCENKMES.net. 86400 IN NSEC3 1 1 0 - 
2K673TEK531CUGB8J9QHASJNDFOVU87L  NS DS RRSIG
2K5T76ECDUK1RJEDVHKHNL0LCCENKMES.net. 86400 IN RRSIG NSEC3 8 2 86400 
20170828050756 20170821035756 57899 net. 
s905nQwEBRv9cbVzZMWFLfb0Jnq/K+R32MJdnYa9CaPpJCtGIMzWkmPt 
yl7MKawRlhJE01n4ll4/4Grj3asVi5/LsrGSH7bjO9GkclWqsuxoeepl 
JrUh/UkZFw5qhnCvw1teWAPcZ6T93DBmq02c8UemFAYRrMO1ugbvHGQo QPw=

;; ADDITIONAL SECTION:
ns1.lnvcdn.net. 172800  IN  A   192.16.0.5
ns2.lnvcdn.net. 172800  IN  A   192.16.0.6

;; Query time: 257 msec
;; SERVER: 2001:503:d414::30#53(2001:503:d414::30)
;; WHEN: Tue Aug 22 09:45:04 AEST 2017
;; MSG SIZE  rcvd: 592

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22513
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;lnvcdn.net.IN  NS

;; ANSWER SECTION:
lnvcdn.net. 3600IN  NS  ns1.lnvcdn.net.
lnvcdn.net. 3600IN  NS  ns3.lnvcdn.net.
lnvcdn.net. 3600IN  NS  ns4.lnvcdn.net.
lnvcdn.net. 3600IN  NS  ns2.lnvcdn.net.

;; ADDITIONAL SECTION:
ns1.lnvcdn.net. 3600IN  A   192.16.0.5
ns2.lnvcdn.net. 3600IN  A   192.16.0.6
ns3.lnvcdn.net. 3600IN  A   198.7.30.5
ns4.lnvcdn.net. 3600IN  A   198.7.30.6

;; Query time: 12 msec
;; SERVER: 192.16.0.5#53(192.16.0.5)
;; WHEN: Tue Aug 22 09:45:04 AEST 2017
;; MSG SIZE  rcvd: 175

>   From: Mark Andrews <ma...@isc.org>
>  To: U Zee <uzee...@yahoo.com>
> Cc: Grant Taylor <gtay...@tnetconsulting.net>; "bind-users@lists.isc.org"
> <bind-us...@isc.org>
>  Sent: Monday, August 14, 2017 3:00 AM
>  Subject: Re: DNS not resolving for a particular domain only
>
>
> In message <1396839156.197734.1502489970...@mail.yahoo.com>, U Zee via
> bind-users writ
> es:
> > Thanks for the suggestion Grant.
> > Here's what I get for the recursive server's capture: ( I queried from
> > the recursive server itself from another ssh session so it is the client
> > as well)
> >
> > # tcpdump -v -v -nt -i eth0 udp port 53|grep lenovotcpdump: listening on
> > eth0, link-type EN10MB (Ethernet), capture size 65535 bytes   
> >    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+
> A? www.lenovo.com. (32)
> >    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+
> A? www.lenovo.com. (32)
> >    86.36.AA.BB.36143 > 193.108.91.79.domain: [bad udp cksum c63c!]
> 12966 [1au] A?
> > www.lenovo.com. ar: . OPT UDPsize=4096 OK (43)
> >    193.108.91.79.domain > 86.36.AA.BB.36143: [udp sum ok] 12966*- q: A?
> www.lenovo.com. 1/0/1 www.lenovo.com. CNAME cs47.can.lnvcdn.net. ar: .
> OPT UDPsize=4096 OK (76) 
> >    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+
> A? www.lenovo.com. 

Re: DNS not resolving for a particular domain only

[U Zee via bind-users]

Thanks Mark,
So mysteriously the problem is now gone and I have no idea how, I know that I 
didn't change anything.
While investigating, I tried looking but didn't get anything in packet capture 
on the recursive server, I think mainly because I had to grep for something 
otherwise there was just too much traffic. So its possible, my grep for lenovo 
didn't show related packets But I will never know now 



  From: Mark Andrews <ma...@isc.org>
 To: U Zee <uzee...@yahoo.com> 
Cc: Grant Taylor <gtay...@tnetconsulting.net>; "bind-users@lists.isc.org" 
<bind-us...@isc.org>
 Sent: Monday, August 14, 2017 3:00 AM
 Subject: Re: DNS not resolving for a particular domain only
   

In message <1396839156.197734.1502489970...@mail.yahoo.com>, U Zee via 
bind-users writ
es:
> Thanks for the suggestion Grant.
> Here's what I get for the recursive server's capture: ( I queried from
> the recursive server itself from another ssh session so it is the client
> as well)
>
> # tcpdump -v -v -nt -i eth0 udp port 53|grep lenovotcpdump: listening on
> eth0, link-type EN10MB (Ethernet), capture size 65535 bytes   
>    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
>www.lenovo.com. (32)
>    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
>www.lenovo.com. (32)
>    86.36.AA.BB.36143 > 193.108.91.79.domain: [bad udp cksum c63c!] 12966 
>[1au] A?
> www.lenovo.com. ar: . OPT UDPsize=4096 OK (43)
>    193.108.91.79.domain > 86.36.AA.BB.36143: [udp sum ok] 12966*- q: A? 
>www.lenovo.com. 1/0/1 www.lenovo.com. CNAME cs47.can.lnvcdn.net. ar: . OPT 
>UDPsize=4096 OK (76) 
>    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
>www.lenovo.com. (32)
>    86.36.AA.BB.10224 > 86.36.DD.EE.domain: [badudp cksum 18c7!] 12721 [1au] 
>A? www.lenovo.com.ourdomain.com. ar: . OPT UDPsize=4096 OK (57)
>    86.36.DD.EE.domain > 86.36.AA.BB.10224: [udp sum ok] 12721 NXDomain*- q: 
>A? www.lenovo.com.ourdomain.com. 0/1/1 ns: ourdomain.com. SOA 
>master.ourdomain.com. host-master.ourparentdomain.com. 138524105 900 450 
>360 60 ar: . OPT UDPsize=4096 OK (138)   
>    86.36.AA.CC.domain > 86.36.AA.BB.45776: [udp sum ok] 34468 ServFail q: A? 
>www.lenovo.com. 0/0/0 (32)
>
> 86.36.AA.BB = localhost (our recursive server) where I ran the query and
> capture
> 86.36.AA.CC = our secondary recursive server (no idea why that was
> contacted)
> 86.36.DD.EE = our one of two anycast addresses which point to the
> recursive servers
>
>
> So it looks like we do get to the CNAME (4th line) but still it
> fails...?I also tried a capture from a regular linux client but the
> output was similar except that it didn't include the CNAME line.

Well the next stage is to trace what happens when the recursive
server looks for cs47.can.lnvcdn.net, the target of the CNAME.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                INTERNET: ma...@isc.org


   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving for a particular domain only

[Mark Andrews]

In message <1396839156.197734.1502489970...@mail.yahoo.com>, U Zee via 
bind-users writ
es:
> Thanks for the suggestion Grant.
> Here's what I get for the recursive server's capture: ( I queried from
> the recursive server itself from another ssh session so it is the client
> as well)
>
> # tcpdump -v -v -nt -i eth0 udp port 53|grep lenovotcpdump: listening on
> eth0, link-type EN10MB (Ethernet), capture size 65535 bytes   
>86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
> www.lenovo.com. (32)
>86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
> www.lenovo.com. (32)
>86.36.AA.BB.36143 > 193.108.91.79.domain: [bad udp cksum c63c!] 12966 
> [1au] A?
> www.lenovo.com. ar: . OPT UDPsize=4096 OK (43)
>193.108.91.79.domain > 86.36.AA.BB.36143: [udp sum ok] 12966*- q: A? 
> www.lenovo.com. 1/0/1 www.lenovo.com. CNAME cs47.can.lnvcdn.net. ar: . OPT 
> UDPsize=4096 OK (76) 
>    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
> www.lenovo.com. (32)
>86.36.AA.BB.10224 > 86.36.DD.EE.domain: [badudp cksum 18c7!] 12721 [1au] 
> A? www.lenovo.com.ourdomain.com. ar: . OPT UDPsize=4096 OK (57)
>86.36.DD.EE.domain > 86.36.AA.BB.10224: [udp sum ok] 12721 NXDomain*- q: 
> A? www.lenovo.com.ourdomain.com. 0/1/1 ns: ourdomain.com. SOA 
> master.ourdomain.com. host-master.ourparentdomain.com. 138524105 900 450 
> 360 60 ar: . OPT UDPsize=4096 OK (138)   
>86.36.AA.CC.domain > 86.36.AA.BB.45776: [udp sum ok] 34468 ServFail q: A? 
> www.lenovo.com. 0/0/0 (32)
>
> 86.36.AA.BB = localhost (our recursive server) where I ran the query and
> capture
> 86.36.AA.CC = our secondary recursive server (no idea why that was
> contacted)
> 86.36.DD.EE = our one of two anycast addresses which point to the
> recursive servers
>
>
> So it looks like we do get to the CNAME (4th line) but still it
> fails...?I also tried a capture from a regular linux client but the
> output was similar except that it didn't include the CNAME line.

Well the next stage is to trace what happens when the recursive
server looks for cs47.can.lnvcdn.net, the target of the CNAME.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS not resolving for a particular domain only

[U Zee via bind-users]

Thanks for the suggestion Grant.
Here's what I get for the recursive server's capture: ( I queried from the 
recursive server itself from another ssh session so it is the client as well)

# tcpdump -v -v -nt -i eth0 udp port 53|grep lenovotcpdump: listening on eth0, 
link-type EN10MB (Ethernet), capture size 65535 bytes    86.36.AA.BB.45776 > 
86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? www.lenovo.com. (32)    
86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
www.lenovo.com. (32)    86.36.AA.BB.36143 > 193.108.91.79.domain: [bad udp 
cksum c63c!] 12966 [1au] A? www.lenovo.com. ar: . OPT UDPsize=4096 OK (43)    
193.108.91.79.domain > 86.36.AA.BB.36143: [udp sum ok] 12966*- q: A? 
www.lenovo.com. 1/0/1 www.lenovo.com. CNAME cs47.can.lnvcdn.net. ar: . OPT 
UDPsize=4096 OK (76)    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 
8a1b!] 34468+ A? www.lenovo.com. (32)    86.36.AA.BB.10224 > 
86.36.DD.EE.domain: [bad udp cksum 18c7!] 12721 [1au] A? 
www.lenovo.com.ourdomain.com. ar: . OPT UDPsize=4096 OK (57)    
86.36.DD.EE.domain > 86.36.AA.BB.10224: [udp sum ok] 12721 NXDomain*- q: A? 
www.lenovo.com.ourdomain.com. 0/1/1 ns: ourdomain.com. SOA 
master.ourdomain.com. host-master.ourparentdomain.com. 138524105 900 450 
360 60 ar: . OPT UDPsize=4096 OK (138)    86.36.AA.CC.domain > 
86.36.AA.BB.45776: [udp sum ok] 34468 ServFail q: A? www.lenovo.com. 0/0/0 (32)

86.36.AA.BB = localhost (our recursive server) where I ran the query and capture
86.36.AA.CC = our secondary recursive server (no idea why that was contacted)
86.36.DD.EE = our one of two anycast addresses which point to the recursive 
servers


So it looks like we do get to the CNAME (4th line) but still it fails...?I also 
tried a capture from a regular linux client but the output was similar except 
that it didn't include the CNAME line.

Frankly I have no idea if this is giving any useful info. I did see that for 
other queries also I saw bad udp cksum messages so not sure if thats an actual 
problem.
Do you see anything specific that might help us diagnose further?
Thanks
  From: Grant Taylor via bind-users <bind-users@lists.isc.org>
 To: bind-users@lists.isc.org 
 Sent: Friday, August 11, 2017 7:06 PM
 Subject: Re: DNS not resolving for a particular domain only
   
On 08/11/2017 06:49 AM, U Zee via bind-users wrote:
> Any ideas please???

I'm seeing different A records returned depending on where I query from.

As such I can only speculate that something related to DNS for a CDN is 
not working as desired.

I'd suggest a packet capture of the client's DNS traffic and possibly 
(if not likely) the client's recursive DNS server's traffic (related to 
the query.)



-- 
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS not resolving for a particular domain only

[U Zee via bind-users]

Hi All,
We are experiencing a weird issue for the past week or two. 
We run bind9 on RHEL/CentOS and one of our international offices that has their 
own auth and caching servers cannot resolve lenovo.com for some odd reason. If 
that office clients use google DNS it works but using their own DNS caching 
servers, it cant resolve. Commands dig and nslookup give a timeout. Although 
dig with trace is able to get to the final answer. Nothing in the logs indicate 
an issue. Also, this is the only address that cant resolve, everything else 
works fine.
We've contacted the ISP to make sure nothing is being blocked or anything, and 
thats all clear. The network team has confirmed they haven't done anything on 
the edge devices or any firewall rule modifications which can cause it. 
Any ideas please???___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns not resolving

[Joseph S D Yao]

On 2013-11-11 12:11, S. Jeff Cold wrote:
...

 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 22495
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;jeffdiss.org. IN A

...

 BIND's configuration file is :

 $TTL 3600
 $ORIGIN jeffdiss.org.
 ; Start of Authority record defining the key characteristics of the
zone (domain)
 @ IN SOA server1.jeffdiss.org. zonemaster.jeffdiss.org. (

...

 ; mail server Resource Records (RR) for the domain
 3w IN MX 10 mail.jeffdiss.org.

 ; domain hosts includes NS and MX records defined above plus any
others required
 server1 IN A 192.168.1.50
 server2 IN A 192.168.1.51
 www IN A 192.168.1.51

...

Jeff,

The above is not the configuration file.  As others have pointed out, 
there is no way to know why a SERVFAIL was returned without that and 
other important information.


But you will NEVER be able to resolve the name jeffdiss.org with the 
zone file you included.  Why is that?  Because you never defined an 
address for that name!  That would require either an A record with a 
blank left hand side before all the other A records, or one with @ in 
the LHS.


And speaking of missing A records, what is the IP address of 
mail.jeffdiss.org?  Nobody will ever know, given this zone file.


As Tom Lehrer famously said, life is like a sewer: what you get out of 
it depends on what you put into it.  Same with DNS - only a bit more 
pleasant, one might hope.


I hope this starts to help.


Joe Yao
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dns not resolving

[S. Jeff Cold]

I have two DNS servers both running Debian Linux 7.2.0, BIND 9.8.4 in a private 
LAN.  I set up an unregistered domain to see how things would run.  When I run 
dig on the domain just to see if it will resolve, I get this error:

;  DiG 9.8.4-rpz2+rl005.12-P1  jeffdiss.org
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 22495
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jeffdiss.org.INA

;; Query time: 0 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Mon Nov 11 10:05:10 2013
;; MSG SIZE  rcvd: 30

BIND's configuration file is :

$TTL3600
$ORIGIN jeffdiss.org.
; Start of Authority record defining the key characteristics of the zone 
(domain)
@INSOAserver1.jeffdiss.org.  zonemaster.jeffdiss.org. (
2013110701; serial, todays date + serial num
7200; refresh, seconds
540; retry, seconds
604800; expire, seconds
86400 ; minimum, seconds
)

; name servers Resources Records (RR) for the domain
INNSserver1.jeffdiss.org.

; the second name server
INNSserver2.jeffdiss.org.

; mail server Resource Records (RR) for the domain
   3wINMX  10mail.jeffdiss.org.

; domain hosts includes NS and MX records defined above plus any others required
server1INA192.168.1.50
server2INA192.168.1.51
wwwINA192.168.1.51

This seems simple enough.  I'm running dig from the primary DNS server itself 
and I'm thinking I should be able to get an answer for jeffdiss.org.  Can 
someone point me in the right direction?

Jeff

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns not resolving

[Alan Clegg]

On Nov 11, 2013, at 12:11 PM, S. Jeff Cold col...@uvu.edu wrote:

 I have two DNS servers both running Debian Linux 7.2.0, BIND 9.8.4 in a 
 private LAN.  I set up an unregistered domain to see how things would run.  
 When I run dig on the domain just to see if it will resolve, I get this error:

[ SERVFAIL ]

 This seems simple enough.  I'm running dig from the primary DNS server itself 
 and I'm thinking I should be able to get an answer for jeffdiss.org.  Can 
 someone point me in the right direction?

You gave us the zone file.  A copy of the named.conf and (better yet) any 
logging generated when you do the dig would be much more helpful.

AlanC
-- 
Alan Clegg | +1-919-355-8851 | a...@clegg.com



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns not resolving

[Mark Andrews]

If you have check-mx fail; in named.conf then the zone will not load and
you will get SERVFAIL.  The default is check-mx warn;.

12-Nov-2013 07:40:07.546 zone jeffdiss.org/IN: jeffdiss.org/MX 
'mail.jeffdiss.org' has no address records (A or )
12-Nov-2013 07:40:07.546 zone jeffdiss.org/IN: not loaded due to errors.

I would check the log files on the server and address any errors/warnings
reported then try again.  Also be explicit when you want to check a master
server and use @server to make sure you are talking to the machine you
think you are and +norec so referrals are returned.

Additionally you should show the relevent parts of named.conf when asking
for help as the contents affect how named treats the zone.

options {
pid-file none;
check-mx fail;
};

zone jeffdiss.org {
type master;
file junk;
};


Mark

In message 8b04639343ffed47b61063517bd9b1f1296b5...@uvuexchmb1.ad.uvu.edu, 
S. Jeff Cold writes:

 I have two DNS servers both running Debian Linux 7.2.0, BIND 9.8.4 in a
 private LAN.  I set up an unregistered domain to see how things would
 run.  When I run dig on the domain just to see if it will resolve, I get
 this error:

 ;  DiG 9.8.4-rpz2+rl005.12-P1  jeffdiss.org
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 22495
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;jeffdiss.org.INA

 ;; Query time: 0 msec
 ;; SERVER: 192.168.1.50#53(192.168.1.50)
 ;; WHEN: Mon Nov 11 10:05:10 2013
 ;; MSG SIZE  rcvd: 30

 BIND's configuration file is :

 $TTL3600
 $ORIGIN jeffdiss.org.
 ; Start of Authority record defining the key characteristics of the zone 
 (domain)
 @INSOAserver1.jeffdiss.org.  zonemaster.jeffdiss.org. (
 2013110701; serial, todays date + serial num
 7200; refresh, seconds
 540; retry, seconds
 604800; expire, seconds
 86400 ; minimum, seconds
 )

 ; name servers Resources Records (RR) for the domain
 INNSserver1.jeffdiss.org.

 ; the second name server
 INNSserver2.jeffdiss.org.

 ; mail server Resource Records (RR) for the domain
3wINMX  10mail.jeffdiss.org.

 ; domain hosts includes NS and MX records defined above plus any others 
 required
 server1INA192.168.1.50
 server2INA192.168.1.51
 wwwINA192.168.1.51

 This seems simple enough.  I'm running dig from the primary DNS server
 itself and I'm thinking I should be able to get an answer for
 jeffdiss.org.  Can someone point me in the right direction?

 Jeff



-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

my DNS not resolving

[S. Jeff Cold]

BIND List,
 
I have a server running OpenSuse 11.1 with BIND 9.5.0P2-18.1.  This server 
has a dedicated IP address from my ISP.  I want this server to resolve my 
registered domain jatec.us.  The server has internet connectivity.  If I dig 
jatec.us, I get:
 
xx--begin 
pastexx
iceman:/home/coldje # dig jatec.us
 
;  DiG 9.5.0-P2  jatec.us
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 2074
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;jatec.us.  IN  A
 
;; AUTHORITY SECTION:
us. 900 IN  SOA a.gtld.biz. 
hostmaster.neustar.b  iz. 2003490240 900 900 604800 86400
 
;; Query time: 28 msec
;; SERVER: 205.171.3.65#53(205.171.3.65)
;; WHEN: Thu Jan 29 11:44:18 2009
;; MSG SIZE  rcvd: 91
xx--end paste-xx
 
I don't think there's a problem with my zone files or my named.conf file.  As 
the domain registrar, my ISP has a place for me
to put the IP address for my server with the domain, but that's it.This URL 
works http://166.70.208.147/moodle/ , but 
http://www.jatec.us/moodle does not work.  How can I get this to resolve?
 
Jeff
 
S. Jeff Cold, Associate Professor
IST Dept., MS-181
Utah Valley University
800 W. University Pkwy.
Orem, UT 84058-5999
 
(801) 863-8851 - office
(801) 863-8522 - fax
(801) 494-4793 - cell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: my DNS not resolving

[Matthew Pounsett]

On 29-Jan-2009, at 13:49, S. Jeff Cold wrote:


BIND List,

I have a server running OpenSuse 11.1 with BIND 9.5.0P2-18.1.   
This server has a dedicated IP address from my ISP.  I want this  
server to resolve my registered domain jatec.us.  The server has  
internet connectivity.  If I dig jatec.us, I get:



[...]

;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 2074
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


Your domain doesn't appear to have been registered yet (or, perhaps,  
is registered but is simply not yet in the .us zone):


;  DiG 9.5.0-P1  jatec.us @K.GTLD.BIZ
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 17247
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;jatec.us.  IN  A

;; AUTHORITY SECTION:
us.			900	IN	SOA	a.gtld.biz. hostmaster.neustar.biz. 2003490289 900  
900 604800 86400


;; Query time: 20 msec
;; SERVER: 156.154.72.65#53(156.154.72.65)
;; WHEN: Thu Jan 29 14:48:05 2009
;; MSG SIZE  rcvd: 91


When did you register the domain?
How often does .us update their zone?

Matt




PGP.sig
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: my DNS not resolving

[Rich Goodson]

$ whois jatec.us
--snip--
Domain Status:   inactive
Name Server: ICEMAN.JATEC.US
--snip--
Domain Registration Date:Fri Oct 03 21:05:39 GMT  
2008
Domain Expiration Date:  Fri Oct 02 23:59:59 GMT  
2009
Domain Last Updated Date:Sun Nov 23 06:34:22 GMT  
2008

--snip--

Check with your registrar.  Your domain has not expired, but some  
registrars will set your domain to inactive status if you don't have  
at least two name servers listed.


-rich

On Jan 29, 2009, at 12:49 PM, S. Jeff Cold wrote:


BIND List,

I have a server running OpenSuse 11.1 with BIND 9.5.0P2-18.1.   
This server has a dedicated IP address from my ISP.  I want this  
server to resolve my registered domain jatec.us.  The server has  
internet connectivity.  If I dig jatec.us, I get:


xx--begin  
pastexx

iceman:/home/coldje # dig jatec.us

;  DiG 9.5.0-P2  jatec.us
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 2074
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;jatec.us.  IN  A

;; AUTHORITY SECTION:
us. 900 IN  SOA a.gtld.biz.  
hostmaster.neustar.b  iz. 2003490240 900 900 604800  
86400


;; Query time: 28 msec
;; SERVER: 205.171.3.65#53(205.171.3.65)
;; WHEN: Thu Jan 29 11:44:18 2009
;; MSG SIZE  rcvd: 91
xx--end  
paste-xx


I don't think there's a problem with my zone files or my named.conf  
file.  As the domain registrar, my ISP has a place for me
to put the IP address for my server with the domain, but that's  
it.This URL works http://166.70.208.147/moodle/ , but
http://www.jatec.us/moodle does not work.  How can I get this to  
resolve?


Jeff

S. Jeff Cold, Associate Professor
IST Dept., MS-181
Utah Valley University
800 W. University Pkwy.
Orem, UT 84058-5999

(801) 863-8851 - office
(801) 863-8522 - fax
(801) 494-4793 - cell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users