subject:"DNS problems at thought.org"

DNS problems at thought.org [was: Re: lynx failure....]

2009-12-12 Thread Giorgos Keramidas

On Sat, 12 Dec 2009 10:21:15 -0800, Gary Kline kl...@thought.org wrote:
On Sat, Dec 12, 2009 at 11:01:47AM +0200, Giorgos Keramidas wrote:
On Sat, 12 Dec 2009 00:09:52 -0800, Gary Kline kl...@thought.org wrote:
 Using lynx:

   Looking up www.thought.org
   Unable to locate remote host www.thought.org.
   Alert!: Unable to connect to remote host.

 Obviously, something is wrong with how my new DBS, mAil, and web
 server, ethic, is configurated.  Can anybody help me here?

 Are you sure DNS for the thought.org domain works?

   keram...@kobe:/home/keramida$ host www.thought.org
   Host www.thought.org not found: 3(NXDOMAIN)
   keram...@kobe:/home/keramida$

 The more I think about it, no, I'm not sure.  The guy who set up my
 new DNS was using the named in ports while I was using the one in
 /usr/sbin.

That shouldn't be a problem.  Both bind versions should be able to serve
your zone files correctly.

When you see 'weird' DNS errors from one place but they seem to magically
disappear if you perform the same query from another place, it is _very_
often a good indication that there is _somewhere_ a stale SOA record and a
stale copy of your zone files.  Tracking down where the stale SOA record is
cached may be a bit of work, but it's definitely doable...

The name servers registered for your domain at `thought.org' are:

: $ host -t ns thought.org 21 | expand | fgrep 'name server' | \
: awk '{print $NF}'
: a.ns.celestial.com.
: ns1.localhostservices.net.
: b.ns.celestial.com.
: d.ns.celestial.com.
: ns2.secondary.com.
: ns1.thought.org.
: c.ns.celestial.com.
: $

The IPv4 addresses of these hosts seem to be:

: $ host -t ns thought.org 21 | expand | fgrep 'name server' | \
: awk '{print $NF}' | \
: while read name ; do \
: addrs=$( host ${name} 21 | fgrep 'has address' | \
:  awk '{print $NF}' | sort ); \
: echo ${name} ${addrs} ; \
:   done | tee thought.org-ns.txt
: a.ns.celestial.com. 192.136.111.41
: ns1.localhostservices.net. 69.55.236.116
: ns1.thought.org. 209.180.213.210
: ns2.secondary.com. 198.133.199.4
: c.ns.celestial.com. 192.136.111.43
: b.ns.celestial.com. 192.136.111.42
: d.ns.celestial.com. 65.255.106.208
: $

So there are seven (7) different name servers that should have the same SOA
record and the same version of your zone file.  How many of them *do* have
the same version though?

: keram...@kobe:~$ while read nshost nsip ; do \
: echo ${nshost} [${nsip}] = ; \
: dig @${nsip} thought.org soa 21 | expand | \
: fgrep ' SOA ' | sed -e 's/.* SOA[ ]*//' ; \
: echo ; \
: done  thought.org-ns.txt
:
: a.ns.celestial.com. [192.136.111.41] =
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 
38400
:
: ns1.localhostservices.net. [69.55.236.116] =
: ethic.thought.org. hostmaster.thought.org. 2009120801 10800 3600 604800 38400
:
: ns1.thought.org. [209.180.213.210] =
: ethic.thought.org. hostmaster.thought.org. 2009120801 10800 3600 604800 38400
:
: ns2.secondary.com. [198.133.199.4] =
:
: c.ns.celestial.com. [192.136.111.43] =
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 
38400
:
: b.ns.celestial.com. [192.136.111.42] =
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 
38400
:
: d.ns.celestial.com. [65.255.106.208] =
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 
38400
:
: keram...@kobe:~$

From this output you can now see that:

  * There is at least one name server in your NS list that does not have a
SOA record at _all_ for your domain (ns2.secondary.com)

  * There are four name servers that have stale copy of your zone file from
last year (a.ns.celestial.com, b.ns.celestial.com, c.ns.celestial.com,
and d.ns.celestial.com).

  * There are two name servers that appear to have a copy from 2009-12-08
(ns1.thought.org and ns1.localhostservices.net)

Trying to resolve `www.thought.org' through each one of these name servers,
to find the ones that cause some of the DNS queries to fail, shows the
following:

: $ while read nshost nsip ; do \
:   echo ${nshost} [${nsip}] = ; \
:   dig @${nsip} www.thought.org a | expand | \
:   grep '^www\.thought\.org' ; \
:   echo ; \
:   done  thought.org-ns.txt
: a.ns.celestial.com. [192.136.111.41] =
: www.thought.org.38400   IN  CNAME   aristotle.thought.org.
:
: ns1.localhostservices.net. [69.55.236.116] =
: www.thought.org.38400   IN  CNAME   ethic.thought.org.
:
: ns1.thought.org. [209.180.213.210] =
: www.thought.org.38400   IN  CNAME   ethic.thought.org.
:
: ns2.secondary.com. [198.133.199.4] =
:
: c.ns.celestial.com. [192.136.111.43] =
: www.thought.org.38400   IN  CNAME   aristotle.thought.org.
:
: b.ns.celestial.com. [192.136.111.42] =
: www.thought.org.38400   IN  CNAME   aristotle.thought.org.
:
: d.ns.celestial.com. [65.255.106.208] =
: www.thought.org.38400   IN

Re: DNS problems at thought.org

2009-12-12 Thread Giorgos Keramidas

On Sat, 12 Dec 2009 19:25:43 -0800, Gary Kline kl...@thought.org wrote:
 On Sun, Dec 13, 2009 at 12:29:30AM +0200, Giorgos Keramidas wrote:
 You have some serious DNS issues with your current setup.  I think you
 should start by:

   1) *Removing* from the NS records of your domain the name servers that
  are not necessary (the celestial.com ones).

   2) *Updating* the NS list of the same domain at the DNS registrar you are
  using to use ns1.thought.org and ns1.localhostservices.net.

   3) Checking the firewall settings at ns1.thought.org to see why it does
   not respond to queries.

 Jon just got home ansd mailed me about my secondaries.  With
 what he said, or tired to explain, and what you have below,
 the picture is pretty clear.  Jon think I need to drop the
 ns2.secondary.com secondaries and others that are not consistent.

 Some point to aristotle; others to ethic.

Yes, that makes perfect sense.  It's the main reason why I wrote step 1
in the above list.

 When you *do* update the NS listing through your DNS registration
 service, point it _only_ at name servers that really have a valid
 copy of your zone files and are set up to serve as secondaries.
 After a while, when the changes propagate to all the name servers,
 your domain should work fine with bind (either the base-system or
 ports version).

 Thijngs may be happening.  Since I have no webserver apps [GUI] I gave
 the gkg.net info to Jon and asked him to edit my files there.  i use
 pfsense as my firewall.  I'm still in learning mode about its fine
 points, but from what I understand, it points only to ethic ... I
 think in the past few days--two or three days.

 *Thanks* for filling in the blank spaces.

No problem.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

DNS problems at thought.org [was: Re: lynx failure....]

Re: DNS problems at thought.org

2 matches

Site Navigation

Mail list logo

Footer information