[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1425
  • Last Modified:

How would I debug a failed BIND DNS query?

I'm trying to figure out why a Windows 2k3 DNS server will resolve a query, but an openSUSE 11.0 box running BIND 9.4.2.xx won't.  The BIND server on the openSUSE box has been running without any noticeable problems for well over a year.  But today, I ran across a URL that it will not resolve.  When I checked the URL with the Windows DNS server, the answer is immediately returned.

Both servers have updated root.hints, both are set to recursively resolve queries outside of their local authority.  Neither are set to forward request to anyone else.

The Windows box is an internal server which ultimately is connected to the Internet through a 4.5 Mb/s T.

The Linux box is a dual homed server which is connected to the Internet through a business class 5 Mb/s cable modem with dedicated IP addresses.

As a test, I temporary set the BIND server to forward unknown requests to the 4.2.2.x servers.  I was then able to successfully resolve the URL.  But if I turn off forwarding and clear the cache, it returns to being unable to resolve the URL.

For the record, the URL is www.ukisp.com.

The attached code is the named.conf file from the Linux box.

TIA,

Ken Gramm
# Name: named.conf
# Last Updated: 2009-02-16
 
options {
	directory "/var/lib/named";
	dump-file "/var/log/named_dump.db";
	statistics-file "/var/log/named.stats";
	listen-on-v6 { none; };
	notify no;
	recursion no;
};
 
logging {
	channel default_log {
		file "/log/named.log";
		# Log levels: info, notice, warning, error, critical
		severity warning;
		print-category yes;
		print-severity yes;
		print-time yes;
	 };
	category default { default_log;  };
};
 
key master-slave.key {
	algorithm HMAC-MD5;
	secret "XR...blah blah blah...56d=";
};
 
 
acl "private-subnet" { 127.0.0.1/32; 10.1.100.0/24; };
 
view "internal-network" {
	match-clients { "private-subnet"; };
	recursion yes;
	
	zone "." in {
		type hint;
		file "root.hint";
	};
 
	zone "localhost" in {
		type master;
		file "localhost.zone";
	};
 
	zone "0.0.127.in-addr.arpa" in {
		type master;
		file "127.0.0.zone";
	};
 
	zone "100.1.10.in-addr.arpa" in {
		type master;
		file "dyn/10.1.100.zone";
		allow-update { key master-slave.key; };
		allow-transfer { key master-slave.key; };
		notify yes;
	};
 
	zone "intern.example.com" in {
		type master;
		file "dyn/intern.example.com.zone";
		allow-update { key master-slave.key; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
	zone "_msdcs.intern.example.com" in {
		type master;
		file "dyn/_msdcs.intern.example.com.zone";
		allow-update { 10.1.100.3; 10.1.100.4; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
	zone "_sites.intern.example.com" in {
		type master;
		file "dyn/_sites.intern.example.com.zone";
		allow-update { 10.1.100.3; 10.1.100.4; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
	zone "_tcp.intern.example.com" in {
		type master;
		file "dyn/_tcp.intern.example.com.zone";
		allow-update { 10.1.100.3; 10.1.100.4; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
	zone "_udp.intern.example.com" in {
		type master;
		file "dyn/_udp.intern.example.com.zone";
		allow-update { 10.1.100.3; 10.1.100.4; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
	zone "domaindnszones.intern.example.com" in {
		type master;
		file "dyn/domaindnszones.intern.example.com.zone";
		allow-update { 10.1.100.3; 10.1.100.4; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
	zone "forestdnszones.intern.example.com" in {
		type master;
		file "dyn/forestdnszones.intern.example.com.zone";
		allow-update { 10.1.100.3; 10.1.100.4; };
		allow-transfer { key master-slave.key; };
		notify yes;
		check-names ignore;
	};
 
};
 
view "external-network" {
	match-clients { "any"; };
 
	zone "example.com" in {
		type master;
		file "master/example.com.zone";
		allow-transfer { key master-slave.key; };
		notify yes;
	};
};

Open in new window

0
Code3_HelpDesk
Asked:
Code3_HelpDesk
  • 2
  • 2
1 Solution
 
amnonnesCommented:
Can your linux server ping the UKISP servers?
Try:
ping 80.175.52.2
ping 80.175.48.66
If they are responding, try the following on the linux box:


dig +trace  @localhost www.ukisp.com
dig +trace  @80.175.52.2 www.ukisp.com
dig +trace  @80.175.48.66 www.ukisp.com

Please post the output.
0
 
Code3_HelpDeskAuthor Commented:
Hello and thanks for your reply,

Yes, I can ping both of the remote name servers, but as you can see from the attached output, I get a time out when my box tries to actually connect to the remote name server.

K
blizzard:~ # ping -c 10 80.175.52.2
PING 80.175.52.2 (80.175.52.2) 56(84) bytes of data.
64 bytes from 80.175.52.2: icmp_seq=1 ttl=51 time=169 ms
64 bytes from 80.175.52.2: icmp_seq=2 ttl=51 time=163 ms
64 bytes from 80.175.52.2: icmp_seq=3 ttl=51 time=170 ms
64 bytes from 80.175.52.2: icmp_seq=4 ttl=51 time=163 ms
64 bytes from 80.175.52.2: icmp_seq=5 ttl=51 time=164 ms
64 bytes from 80.175.52.2: icmp_seq=6 ttl=51 time=165 ms
64 bytes from 80.175.52.2: icmp_seq=7 ttl=51 time=166 ms
64 bytes from 80.175.52.2: icmp_seq=8 ttl=51 time=170 ms
64 bytes from 80.175.52.2: icmp_seq=9 ttl=51 time=165 ms
64 bytes from 80.175.52.2: icmp_seq=10 ttl=51 time=165 ms
 
--- 80.175.52.2 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9033ms
rtt min/avg/max/mdev = 163.379/166.537/170.780/2.562 ms
 
---------------------------------------------------------------------
 
blizzard:~ # ping -c 10 80.175.48.66
PING 80.175.48.66 (80.175.48.66) 56(84) bytes of data.
64 bytes from 80.175.48.66: icmp_seq=1 ttl=51 time=174 ms
64 bytes from 80.175.48.66: icmp_seq=2 ttl=51 time=165 ms
64 bytes from 80.175.48.66: icmp_seq=3 ttl=51 time=164 ms
64 bytes from 80.175.48.66: icmp_seq=4 ttl=51 time=167 ms
64 bytes from 80.175.48.66: icmp_seq=5 ttl=51 time=168 ms
64 bytes from 80.175.48.66: icmp_seq=6 ttl=51 time=163 ms
64 bytes from 80.175.48.66: icmp_seq=7 ttl=51 time=162 ms
64 bytes from 80.175.48.66: icmp_seq=8 ttl=51 time=165 ms
64 bytes from 80.175.48.66: icmp_seq=9 ttl=51 time=168 ms
64 bytes from 80.175.48.66: icmp_seq=10 ttl=51 time=166 ms
 
--- 80.175.48.66 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9037ms
rtt min/avg/max/mdev = 162.271/166.722/174.823/3.350 ms
 
---------------------------------------------------------------------
 
blizzard:~ # dig +trace @localhost www.ukisp.com
 
; <<>> DiG 9.4.2-P1 <<>> +trace @localhost www.ukisp.com
; (2 servers found)
;; global options:  printcmd
.                       472566  IN      NS      e.root-servers.net.
.                       472566  IN      NS      g.root-servers.net.
.                       472566  IN      NS      d.root-servers.net.
.                       472566  IN      NS      m.root-servers.net.
.                       472566  IN      NS      a.root-servers.net.
.                       472566  IN      NS      l.root-servers.net.
.                       472566  IN      NS      f.root-servers.net.
.                       472566  IN      NS      j.root-servers.net.
.                       472566  IN      NS      b.root-servers.net.
.                       472566  IN      NS      i.root-servers.net.
.                       472566  IN      NS      h.root-servers.net.
.                       472566  IN      NS      c.root-servers.net.
.                       472566  IN      NS      k.root-servers.net.
;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
 
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 491 bytes from 193.0.14.129#53(k.root-servers.net) in 204 ms
 
ukisp.com.              172800  IN      NS      ns0.ukisp.com.
ukisp.com.              172800  IN      NS      ns1.ukisp.com.
;; Received 99 bytes from 192.42.93.30#53(g.gtld-servers.net) in 83 ms
 
;; connection timed out; no servers could be reached
 
---------------------------------------------------------------------
 
blizzard:~ # dig +trace @80.175.52.2 www.ukisp.com
 
; <<>> DiG 9.4.2-P1 <<>> +trace @80.175.52.2 www.ukisp.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
 
---------------------------------------------------------------------
 
blizzard:~ # dig +trace @80.175.48.66 www.ukisp.com
 
; <<>> DiG 9.4.2-P1 <<>> +trace @80.175.48.66 www.ukisp.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

Open in new window

0
 
amnonnesCommented:
You must have have a firewall somewhere (either yours or theirs or something in between) that blocks port 53/UDP...

Can you check?
Also, check to see if there is a firewall defined on the Linux:
iptables-save

Also - they might be blocking you from their DNS for some reason...

0
 
Code3_HelpDeskAuthor Commented:
Yeah, I figured as much, but figured it wouldn't hurt getting a second opinion.

For the record, the Linux DNS server in question does have a firewall installed on it, but I know for a fact that I am not filtering DNS traffic from the URL in question.

Also, as a final nail in the coffin, I activated DNS on a Win2K3 box behind the Linux box and tried to use it to query the remote site.  I get the same response.  So the failure has nothing to do with Linux vs. Windows.  It has to be based on my IP address.

Thanks for responses.

K
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now