DNS help needed

Wed Apr 18 13:17:47 CST 2007

On Wed, 18 Apr 2007, Shane wrote:

> I've got an annoying DNS problem at the moment where we've found 2
> addresses that fail to resolve in one of our offices that resolve fine
> in the other ...
>
> We have a master DNS server that has all the info for our hosts, the
> other office DNS servers slaves our zone. Both have a *.* zone defined
> to use named.root (I'll paste the two config files below as they'll
> probably help).
>
> the named.root files are identical on the two servers - the slave is
> the one resolving correctly. The two addresses we know of failing so
> far are:
> bigpond.net.au
> 3delight.com
> so it shouldn't be anything to do with our zone info, seems to be
> something between "us" and "them" but I'm stuck for ideas on where
> and/or how to fix the problem. We tried using forwarders for a while
> but that led to a whole lot of other problems so I'd rather stick to
> getting the root zone working properly :-)
>
> TIA,
> Shane.
>
> "Master config"
> options {
>       directory "/var/named/";
>       allow-transfer{
>               10.0.0.0/8;
>       };
>       listen-on {
>               10.5.0.10;
>               127.0.0.1;
>       };
>       query-source address * port 53;
> };

Hi Shane.

Do you really want the server above to source DNS requests from port 53 ?
You may find that you have a firewall blocking traffic from privileged
ports (i.e. < 1024).  Try removing the 'query-source' line altogether,
which would allow DNS queries to be sourced from unprivileged ports.

>From both DNS machines, you need to verify that you can get a successful
result back directly from the DNS servers for the zones that fail -
e.g. for bigpond.net.au, confirm that you see the following result from
'dig' which queries the IP address of the bigpond.net.au name server
ns2.bigpond.net.au:

[chris at fmt ~]$ dig -t a bigpond.net.au @61.9.192.17

; <<>> DiG 9.3.4 <<>> -t a bigpond.net.au @61.9.192.17
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56366
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;bigpond.net.au.                        IN      A

;; ANSWER SECTION:
bigpond.net.au.         1800    IN      A       139.134.5.153

;; AUTHORITY SECTION:
bigpond.net.au.         1800    IN      NS      ns1.bigpond.net.au.
bigpond.net.au.         1800    IN      NS      ns2.bigpond.net.au.

;; ADDITIONAL SECTION:
ns1.bigpond.net.au.     1800    IN      A       61.9.128.17
ns2.bigpond.net.au.     1800    IN      A       61.9.192.17

;; Query time: 217 msec
;; SERVER: 61.9.192.17#53(61.9.192.17)
;; WHEN: Wed Apr 18 13:09:08 2007
;; MSG SIZE  rcvd: 116

If you don't get those results, then you might have an IP connectivity
issue for at least UDP port 53 from that box.  (Does the box even have
a default gateway configured ?  .... is it allowed NAT access ?).

If everything checks out ok, then get back to the list with the exact
resource record type of the query (i.e. whether it's A, CNAME, MX, etc)
and the exact hostname its for.

-- 
Chris Foote <chris at inetd.com.au>
Inetd Pty Ltd T/A HostExpress
Web:   http://www.hostexpress.com.au
Blog:  http://www.hostexpress.com.au/drupal/chris
Phone: (08) 8410 4566