shrek2
asked on
DNS Problem(s)
I am running DNS bind 9.2.1 - presently i am experiencing a problem where it is not able to resolve DNS records that seem to be over in china and our hosted by mx.sina.net I am not able to send mail to greatmountain.com.cn or everesports.com Because my DNS server times out. When I issue a dig on these sites is when i see the timeout.
If i use www.dnsstuff.com they seem to have the ability to find these sites... Can someone tell me what i should look for. It seems as if I can find most other sites in the states no problem, My DNS's have been working fine for the past two years.. this all of a sudden just started happenning on these Specific domains. I perfomed a reboot to clear cache but no change.
If i use www.dnsstuff.com they seem to have the ability to find these sites... Can someone tell me what i should look for. It seems as if I can find most other sites in the states no problem, My DNS's have been working fine for the past two years.. this all of a sudden just started happenning on these Specific domains. I perfomed a reboot to clear cache but no change.
I don't think there's anything wrong with your DNS server. Although if you've been running it for two years your hints file is probably a bit out of date. You can get a current copy from ftp://FTP.INTERNIC.NET/domain/named.root.
Neither of those domains works from any of my name servers. From what I can see from here it looks like it might be some sort of Internet routing problem.
When I started composing this comment I could not get data back from either of the name servers for eversports.com (dns3.register.com & dns4.register.com). But now I can. I still can't reach the nameservers for greatmountain.com.cn though.
Neither of those domains works from any of my name servers. From what I can see from here it looks like it might be some sort of Internet routing problem.
When I started composing this comment I could not get data back from either of the name servers for eversports.com (dns3.register.com & dns4.register.com). But now I can. I still can't reach the nameservers for greatmountain.com.cn though.
ASKER
As far as i know my DNS server is not looking to my isp, it just uses the named.ca for root servers.. I called my isp and they were about no help. The tech there said it was probalby in my cache and that i should clear it? Then he told me to go to askmrdns on google, I did but still have not conquered this problem.
here is what baffles me i do the following queries and i get a time out-when I use
dig @servername.xxx hostname.xxx "NS" it just fails timeout. But a straigt dig servername.com seems to work; except on the problem domains mentioned "everesports.com" and "greatmountain.com.cn" below i have copied output of Dig command. Hope this helps you help me. Thanks
[root@ns1 named]# dig @e0.ns.voyager.net voyager.net NS
; <<>> DiG 9.2.1 <<>> @e0.ns.voyager.net voyager.net NS
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@ns1 named]# dig voyager.net
; <<>> DiG 9.2.1 <<>> voyager.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5130
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;voyager.net. IN A
;; ANSWER SECTION:
voyager.net. 85148 IN A 209.153.190.1
;; AUTHORITY SECTION:
voyager.net. 86005 IN NS e1.ns.voyager.net.
voyager.net. 86005 IN NS e2.ns.voyager.net.
voyager.net. 86005 IN NS e0.ns.voyager.net.
;; ADDITIONAL SECTION:
e0.ns.voyager.net. 85866 IN A 169.207.2.72
e1.ns.voyager.net. 85300 IN A 207.89.128.13
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 7 13:18:36 2004
;; MSG SIZE rcvd: 131
[root@ns1 named]# dig everesports.com
; <<>> DiG 9.2.1 <<>> everesports.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@ns1 named]#
here is what baffles me i do the following queries and i get a time out-when I use
dig @servername.xxx hostname.xxx "NS" it just fails timeout. But a straigt dig servername.com seems to work; except on the problem domains mentioned "everesports.com" and "greatmountain.com.cn" below i have copied output of Dig command. Hope this helps you help me. Thanks
[root@ns1 named]# dig @e0.ns.voyager.net voyager.net NS
; <<>> DiG 9.2.1 <<>> @e0.ns.voyager.net voyager.net NS
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@ns1 named]# dig voyager.net
; <<>> DiG 9.2.1 <<>> voyager.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5130
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;voyager.net. IN A
;; ANSWER SECTION:
voyager.net. 85148 IN A 209.153.190.1
;; AUTHORITY SECTION:
voyager.net. 86005 IN NS e1.ns.voyager.net.
voyager.net. 86005 IN NS e2.ns.voyager.net.
voyager.net. 86005 IN NS e0.ns.voyager.net.
;; ADDITIONAL SECTION:
e0.ns.voyager.net. 85866 IN A 169.207.2.72
e1.ns.voyager.net. 85300 IN A 207.89.128.13
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 7 13:18:36 2004
;; MSG SIZE rcvd: 131
[root@ns1 named]# dig everesports.com
; <<>> DiG 9.2.1 <<>> everesports.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@ns1 named]#
ASKER
This is for jlevie: You may well be correct however could you please look at my other post for more information. ALSO the other domain i could not reach is everesports.com it has an "e" after ever and before sports. Please let me know if you can query. Thanks again.
Sorry, typo on my part in part of my tests.
A whois on everesports.com says that it's name servers are ns.xinnetdns.com & ns.xinnet.cn, which are the same name servers for greatmountain.com.cn. As far as I can tell both of those DNS servers are reachable via a ping, but one seems not to be operating properly and the other not at all. If I do:
wilowisp> host ns.xinnetdns.com
ns.xinnetdns.com has address 210.51.170.66
wilowisp> host -T -t mx greatmountain.com.cn 210.51.170.66
;; connection timed out; no servers could be reached
wilowisp>
wilowisp> host -T -t mx greatmountain.com.cn 202.106.124.195
Using domain server:
Name: 202.106.124.195
Address: 202.106.124.195#53
Aliases:
greatmountain.com.cn mail is handled by 10 mx.sina.net.
But when Bind does the query:
wilowisp> host -t mx greatmountain.com.cn
;; connection timed out; no servers could be reached
it fails. The results for everesports.com are similar. So I'd have to say that the problem is on their end.
A whois on everesports.com says that it's name servers are ns.xinnetdns.com & ns.xinnet.cn, which are the same name servers for greatmountain.com.cn. As far as I can tell both of those DNS servers are reachable via a ping, but one seems not to be operating properly and the other not at all. If I do:
wilowisp> host ns.xinnetdns.com
ns.xinnetdns.com has address 210.51.170.66
wilowisp> host -T -t mx greatmountain.com.cn 210.51.170.66
;; connection timed out; no servers could be reached
wilowisp>
wilowisp> host -T -t mx greatmountain.com.cn 202.106.124.195
Using domain server:
Name: 202.106.124.195
Address: 202.106.124.195#53
Aliases:
greatmountain.com.cn mail is handled by 10 mx.sina.net.
But when Bind does the query:
wilowisp> host -t mx greatmountain.com.cn
;; connection timed out; no servers could be reached
it fails. The results for everesports.com are similar. So I'd have to say that the problem is on their end.
ASKER
To: Jlevie no problem on the typo:)
Wow Sina is a huge isp provider in China -I think #1 or #2 ......
Yes i performed the same commands as you and I also got same results. Is there a way for me to further confirm this. ? "paranoia i guess" any other tools i might be able to use? I noticed you did not use "dig": Is that tool not as "reliable" as host?
Becasue my original problem is that my Mailserver is doing a DNS lookup and my NS can not find the record I am having failure of mail to these domains. Do you think i could place an entry in my e-mail servers host log to alleviate the DNS lookup failure? I will just try it.
Thanks
Wow Sina is a huge isp provider in China -I think #1 or #2 ......
Yes i performed the same commands as you and I also got same results. Is there a way for me to further confirm this. ? "paranoia i guess" any other tools i might be able to use? I noticed you did not use "dig": Is that tool not as "reliable" as host?
Becasue my original problem is that my Mailserver is doing a DNS lookup and my NS can not find the record I am having failure of mail to these domains. Do you think i could place an entry in my e-mail servers host log to alleviate the DNS lookup failure? I will just try it.
Thanks
> Is there a way for me to further confirm this. ?
What I placed in the comment was just a sample of what I saw on three, geographically diverse, Linux and Solaris boxes. That's two different instances of the lookup tools & Bind using widely varied routes to the servers in question. The only other thing to try would be to have someone in Europe or the Far East check the servers.
I used host rather than dig simply because it is less verbose. Either are viable tools for checking the response of a DNS server.
> Do you think i could place an entry in my e-mail servers host log to alleviate the DNS lookup failure?
If you address the mail to the FQDN of the maileserver for the domain a hosts file record will work. It won't help if you address the message to the domain (e.g., user@everesports.com) because Sendmail will still try to do an MX lookup.
What I placed in the comment was just a sample of what I saw on three, geographically diverse, Linux and Solaris boxes. That's two different instances of the lookup tools & Bind using widely varied routes to the servers in question. The only other thing to try would be to have someone in Europe or the Far East check the servers.
I used host rather than dig simply because it is less verbose. Either are viable tools for checking the response of a DNS server.
> Do you think i could place an entry in my e-mail servers host log to alleviate the DNS lookup failure?
If you address the mail to the FQDN of the maileserver for the domain a hosts file record will work. It won't help if you address the message to the domain (e.g., user@everesports.com) because Sendmail will still try to do an MX lookup.
I just tried greatmountain.com.cn I am based in the UK
dig greatmountain.com.cn
; <<>> DiG 9.2.4rc5 <<>> greatmountain.com.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31778
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;greatmountain.com.cn. IN A
;; ANSWER SECTION:
greatmountain.com.cn. 3600 IN A 210.51.168.38
;; AUTHORITY SECTION:
greatmountain.com.cn. 86400 IN NS ns.xinnet.cn.
greatmountain.com.cn. 86400 IN NS ns.xinnetdns.com.
;; ADDITIONAL SECTION:
ns.xinnet.cn. 64 IN A 202.106.124.195
ns.xinnetdns.com. 140727 IN A 210.51.170.66
;; Query time: 806 msec
;; SERVER: 195.10.229.195#53(195.10.2
;; WHEN: Wed Sep 8 11:35:48 2004
;; MSG SIZE rcvd: 160
Hope that helps
dig greatmountain.com.cn
; <<>> DiG 9.2.4rc5 <<>> greatmountain.com.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31778
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;greatmountain.com.cn. IN A
;; ANSWER SECTION:
greatmountain.com.cn. 3600 IN A 210.51.168.38
;; AUTHORITY SECTION:
greatmountain.com.cn. 86400 IN NS ns.xinnet.cn.
greatmountain.com.cn. 86400 IN NS ns.xinnetdns.com.
;; ADDITIONAL SECTION:
ns.xinnet.cn. 64 IN A 202.106.124.195
ns.xinnetdns.com. 140727 IN A 210.51.170.66
;; Query time: 806 msec
;; SERVER: 195.10.229.195#53(195.10.2
;; WHEN: Wed Sep 8 11:35:48 2004
;; MSG SIZE rcvd: 160
Hope that helps
Oh yeah check www.dnsstuff.com and www.dnsreport.com very useful sites for checking dns and email and the like.
Whatever the problem was with those DNS servers it looks like it is fixed as they work now...
ASKER
To everyone and jlevie:
It looks as if my server is still unable to resolve everesports.com or greatmountain.com.cn using host or dig all i get is connection timed out no servers could be reached. (You can use my server to query it. ns1.firstpath.com)
(jlevie are you still getting success?)
and can anyone point me into a direction as to why I seem to be the only one (aside from jlevie yesterday) who is not able to connect to these particular servers.?
Thanks
It looks as if my server is still unable to resolve everesports.com or greatmountain.com.cn using host or dig all i get is connection timed out no servers could be reached. (You can use my server to query it. ns1.firstpath.com)
(jlevie are you still getting success?)
and can anyone point me into a direction as to why I seem to be the only one (aside from jlevie yesterday) who is not able to connect to these particular servers.?
Thanks
Its possible server has probably cached the responce and is returning stale results
I just checked again and lookups are failing again, so I guess it was't really fixed.
When I said that I had tried this from "geographically diverse sites" I should have explained that. I used three sites in the US, each of which uses a different Tier 1 network provider, one site in South America, and a site in Sweden. So it isn't an isolated problem.
When I said that I had tried this from "geographically diverse sites" I should have explained that. I used three sites in the US, each of which uses a different Tier 1 network provider, one site in South America, and a site in Sweden. So it isn't an isolated problem.
ASKER
Well i restarted the server for a cache clear. I also downloaded and put in place the most current named.root file from FTP.Internic.net i then restarted the server and i still the following when i do a dig. ;
<<>> DiG 9.2.1 <<>> everesports.com
;; global options: printcmd
;; connection timed out; no servers could be reached
here is a successful dig on a company i know is out of china- (it seems to work)
Do you see anything in the below dig query that might point to a problem.. I do notice that the "Query" server is 127.0.0.1 is that OK? Its been set to this forever.
Thanks
; <<>> DiG 9.2.1 <<>> dkcity.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;dkcity.com. IN A
;; ANSWER SECTION:
dkcity.com. 85069 IN A 220.130.209.103
;; AUTHORITY SECTION:
dkcity.com. 171469 IN NS dns2.dkcity.com.
dkcity.com. 171469 IN NS dns1.dkcity.com.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 8 15:25:22 2004
;; MSG SIZE rcvd: 82
<<>> DiG 9.2.1 <<>> everesports.com
;; global options: printcmd
;; connection timed out; no servers could be reached
here is a successful dig on a company i know is out of china- (it seems to work)
Do you see anything in the below dig query that might point to a problem.. I do notice that the "Query" server is 127.0.0.1 is that OK? Its been set to this forever.
Thanks
; <<>> DiG 9.2.1 <<>> dkcity.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;dkcity.com. IN A
;; ANSWER SECTION:
dkcity.com. 85069 IN A 220.130.209.103
;; AUTHORITY SECTION:
dkcity.com. 171469 IN NS dns2.dkcity.com.
dkcity.com. 171469 IN NS dns1.dkcity.com.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 8 15:25:22 2004
;; MSG SIZE rcvd: 82
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
since mostly you all in US you may not be notice some of the access will scan by the china gov. and filter before it actuall get into china, I located in HK I can easy get into china, so try to route the thing through HK may be easier. I did try everesports.com and greatmountain.com.cn and got below result
[root@test root]# dig everesports.com
; <<>> DiG 9.2.0 <<>> everesports.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;everesports.com. IN A
;; ANSWER SECTION:
everesports.com. 3600 IN A 61.152.160.207
;; AUTHORITY SECTION:
everesports.com. 172800 IN NS ns.xinnet.cn.
everesports.com. 172800 IN NS ns.xinnetdns.com.
;; ADDITIONAL SECTION:
ns.xinnet.cn. 3600 IN A 202.106.124.195
;; Query time: 709 msec
;; SERVER: 192.168.0.11#53(192.168.0.
;; WHEN: Mon Sep 13 16:05:57 2004
;; MSG SIZE rcvd: 118
[root@test root]# dig greatmountain.com.cn
; <<>> DiG 9.2.0 <<>> greatmountain.com.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;greatmountain.com.cn. IN A
;; ANSWER SECTION:
greatmountain.com.cn. 3600 IN A 210.51.168.38
;; AUTHORITY SECTION:
greatmountain.com.cn. 86400 IN NS ns.xinnetdns.com.
greatmountain.com.cn. 86400 IN NS ns.xinnet.cn.
;; ADDITIONAL SECTION:
ns.xinnet.cn. 3437 IN A 202.106.124.195
;; Query time: 656 msec
;; SERVER: 192.168.0.11#53(192.168.0.
;; WHEN: Mon Sep 13 16:08:40 2004
;; MSG SIZE rcvd: 124
and it's from a RH 8.0 testing PC. So jlevie is right only the routing problem.
[root@test root]# dig everesports.com
; <<>> DiG 9.2.0 <<>> everesports.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;everesports.com. IN A
;; ANSWER SECTION:
everesports.com. 3600 IN A 61.152.160.207
;; AUTHORITY SECTION:
everesports.com. 172800 IN NS ns.xinnet.cn.
everesports.com. 172800 IN NS ns.xinnetdns.com.
;; ADDITIONAL SECTION:
ns.xinnet.cn. 3600 IN A 202.106.124.195
;; Query time: 709 msec
;; SERVER: 192.168.0.11#53(192.168.0.
;; WHEN: Mon Sep 13 16:05:57 2004
;; MSG SIZE rcvd: 118
[root@test root]# dig greatmountain.com.cn
; <<>> DiG 9.2.0 <<>> greatmountain.com.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;greatmountain.com.cn. IN A
;; ANSWER SECTION:
greatmountain.com.cn. 3600 IN A 210.51.168.38
;; AUTHORITY SECTION:
greatmountain.com.cn. 86400 IN NS ns.xinnetdns.com.
greatmountain.com.cn. 86400 IN NS ns.xinnet.cn.
;; ADDITIONAL SECTION:
ns.xinnet.cn. 3437 IN A 202.106.124.195
;; Query time: 656 msec
;; SERVER: 192.168.0.11#53(192.168.0.
;; WHEN: Mon Sep 13 16:08:40 2004
;; MSG SIZE rcvd: 124
and it's from a RH 8.0 testing PC. So jlevie is right only the routing problem.
oh don't disclose this comment to any China office in US or other countries, if not I will disappear without any notice :( may be I should as EE admin to delete my comment here, it's also risk for this site. Try route the things through HK to see it's work or not.
I don't see where any Chinese authorities should get upset over what you posted. Everything there is a matter of public record and is freely available to anyone.
It seems that there are at least 6 dns servers that reply for quries about both everesports.com and greatmountain.com.cn they are -
ns.xinnet.cn
ns.xinnetdns.com
ns2.xinnetdns.com
ns2.xinnet.cn
dns.xinnet.com
dns2.xinnet.com
when queried, they dont respond as fast as my dns servers - but given the fact they are half way around the world it think their response is reasonablish....
I think that you should query the servers directly - like
dig @ns.xinnet.cn everesports.com
if none reply to you .... then jlevie might be right ... there might just be some internet routing problem.... or even willful filtering ??
once you find a few that work fine.... build forward zones in your dns like....
zone "everesports.com" {
type forward;
forwarders{202.106.124.194
};
then try with your dns again....
Nav.
ns.xinnet.cn
ns.xinnetdns.com
ns2.xinnetdns.com
ns2.xinnet.cn
dns.xinnet.com
dns2.xinnet.com
when queried, they dont respond as fast as my dns servers - but given the fact they are half way around the world it think their response is reasonablish....
I think that you should query the servers directly - like
dig @ns.xinnet.cn everesports.com
if none reply to you .... then jlevie might be right ... there might just be some internet routing problem.... or even willful filtering ??
once you find a few that work fine.... build forward zones in your dns like....
zone "everesports.com" {
type forward;
forwarders{202.106.124.194
};
then try with your dns again....
Nav.
Is your dns server asking it from other dns server like your isp ?