How would I debug a failed BIND DNS query?
I'm trying to figure out why a Windows 2k3 DNS server will resolve a query, but an openSUSE 11.0 box running BIND 9.4.2.xx won't. The BIND server on the openSUSE box has been running without any noticeable problems for well over a year. But today, I ran across a URL that it will not resolve. When I checked the URL with the Windows DNS server, the answer is immediately returned.
Both servers have updated root.hints, both are set to recursively resolve queries outside of their local authority. Neither are set to forward request to anyone else.
The Windows box is an internal server which ultimately is connected to the Internet through a 4.5 Mb/s T.
The Linux box is a dual homed server which is connected to the Internet through a business class 5 Mb/s cable modem with dedicated IP addresses.
As a test, I temporary set the BIND server to forward unknown requests to the 4.2.2.x servers. I was then able to successfully resolve the URL. But if I turn off forwarding and clear the cache, it returns to being unable to resolve the URL.
For the record, the URL is www.ukisp.com.
The attached code is the named.conf file from the Linux box.
TIA,
Ken Gramm
Both servers have updated root.hints, both are set to recursively resolve queries outside of their local authority. Neither are set to forward request to anyone else.
The Windows box is an internal server which ultimately is connected to the Internet through a 4.5 Mb/s T.
The Linux box is a dual homed server which is connected to the Internet through a business class 5 Mb/s cable modem with dedicated IP addresses.
As a test, I temporary set the BIND server to forward unknown requests to the 4.2.2.x servers. I was then able to successfully resolve the URL. But if I turn off forwarding and clear the cache, it returns to being unable to resolve the URL.
For the record, the URL is www.ukisp.com.
The attached code is the named.conf file from the Linux box.
TIA,
Ken Gramm
# Name: named.conf
# Last Updated: 2009-02-16
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on-v6 { none; };
notify no;
recursion no;
};
logging {
channel default_log {
file "/log/named.log";
# Log levels: info, notice, warning, error, critical
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
category default { default_log; };
};
key master-slave.key {
algorithm HMAC-MD5;
secret "XR...blah blah blah...56d=";
};
acl "private-subnet" { 127.0.0.1/32; 10.1.100.0/24; };
view "internal-network" {
match-clients { "private-subnet"; };
recursion yes;
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone "100.1.10.in-addr.arpa" in {
type master;
file "dyn/10.1.100.zone";
allow-update { key master-slave.key; };
allow-transfer { key master-slave.key; };
notify yes;
};
zone "intern.example.com" in {
type master;
file "dyn/intern.example.com.zone";
allow-update { key master-slave.key; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
zone "_msdcs.intern.example.com" in {
type master;
file "dyn/_msdcs.intern.example.com.zone";
allow-update { 10.1.100.3; 10.1.100.4; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
zone "_sites.intern.example.com" in {
type master;
file "dyn/_sites.intern.example.com.zone";
allow-update { 10.1.100.3; 10.1.100.4; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
zone "_tcp.intern.example.com" in {
type master;
file "dyn/_tcp.intern.example.com.zone";
allow-update { 10.1.100.3; 10.1.100.4; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
zone "_udp.intern.example.com" in {
type master;
file "dyn/_udp.intern.example.com.zone";
allow-update { 10.1.100.3; 10.1.100.4; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
zone "domaindnszones.intern.example.com" in {
type master;
file "dyn/domaindnszones.intern.example.com.zone";
allow-update { 10.1.100.3; 10.1.100.4; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
zone "forestdnszones.intern.example.com" in {
type master;
file "dyn/forestdnszones.intern.example.com.zone";
allow-update { 10.1.100.3; 10.1.100.4; };
allow-transfer { key master-slave.key; };
notify yes;
check-names ignore;
};
};
view "external-network" {
match-clients { "any"; };
zone "example.com" in {
type master;
file "master/example.com.zone";
allow-transfer { key master-slave.key; };
notify yes;
};
};
ASKER
Hello and thanks for your reply,
Yes, I can ping both of the remote name servers, but as you can see from the attached output, I get a time out when my box tries to actually connect to the remote name server.
K
Yes, I can ping both of the remote name servers, but as you can see from the attached output, I get a time out when my box tries to actually connect to the remote name server.
K
blizzard:~ # ping -c 10 80.175.52.2
PING 80.175.52.2 (80.175.52.2) 56(84) bytes of data.
64 bytes from 80.175.52.2: icmp_seq=1 ttl=51 time=169 ms
64 bytes from 80.175.52.2: icmp_seq=2 ttl=51 time=163 ms
64 bytes from 80.175.52.2: icmp_seq=3 ttl=51 time=170 ms
64 bytes from 80.175.52.2: icmp_seq=4 ttl=51 time=163 ms
64 bytes from 80.175.52.2: icmp_seq=5 ttl=51 time=164 ms
64 bytes from 80.175.52.2: icmp_seq=6 ttl=51 time=165 ms
64 bytes from 80.175.52.2: icmp_seq=7 ttl=51 time=166 ms
64 bytes from 80.175.52.2: icmp_seq=8 ttl=51 time=170 ms
64 bytes from 80.175.52.2: icmp_seq=9 ttl=51 time=165 ms
64 bytes from 80.175.52.2: icmp_seq=10 ttl=51 time=165 ms
--- 80.175.52.2 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9033ms
rtt min/avg/max/mdev = 163.379/166.537/170.780/2.562 ms
---------------------------------------------------------------------
blizzard:~ # ping -c 10 80.175.48.66
PING 80.175.48.66 (80.175.48.66) 56(84) bytes of data.
64 bytes from 80.175.48.66: icmp_seq=1 ttl=51 time=174 ms
64 bytes from 80.175.48.66: icmp_seq=2 ttl=51 time=165 ms
64 bytes from 80.175.48.66: icmp_seq=3 ttl=51 time=164 ms
64 bytes from 80.175.48.66: icmp_seq=4 ttl=51 time=167 ms
64 bytes from 80.175.48.66: icmp_seq=5 ttl=51 time=168 ms
64 bytes from 80.175.48.66: icmp_seq=6 ttl=51 time=163 ms
64 bytes from 80.175.48.66: icmp_seq=7 ttl=51 time=162 ms
64 bytes from 80.175.48.66: icmp_seq=8 ttl=51 time=165 ms
64 bytes from 80.175.48.66: icmp_seq=9 ttl=51 time=168 ms
64 bytes from 80.175.48.66: icmp_seq=10 ttl=51 time=166 ms
--- 80.175.48.66 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9037ms
rtt min/avg/max/mdev = 162.271/166.722/174.823/3.350 ms
---------------------------------------------------------------------
blizzard:~ # dig +trace @localhost www.ukisp.com
; <<>> DiG 9.4.2-P1 <<>> +trace @localhost www.ukisp.com
; (2 servers found)
;; global options: printcmd
. 472566 IN NS e.root-servers.net.
. 472566 IN NS g.root-servers.net.
. 472566 IN NS d.root-servers.net.
. 472566 IN NS m.root-servers.net.
. 472566 IN NS a.root-servers.net.
. 472566 IN NS l.root-servers.net.
. 472566 IN NS f.root-servers.net.
. 472566 IN NS j.root-servers.net.
. 472566 IN NS b.root-servers.net.
. 472566 IN NS i.root-servers.net.
. 472566 IN NS h.root-servers.net.
. 472566 IN NS c.root-servers.net.
. 472566 IN NS k.root-servers.net.
;; Received 500 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 491 bytes from 193.0.14.129#53(k.root-servers.net) in 204 ms
ukisp.com. 172800 IN NS ns0.ukisp.com.
ukisp.com. 172800 IN NS ns1.ukisp.com.
;; Received 99 bytes from 192.42.93.30#53(g.gtld-servers.net) in 83 ms
;; connection timed out; no servers could be reached
---------------------------------------------------------------------
blizzard:~ # dig +trace @80.175.52.2 www.ukisp.com
; <<>> DiG 9.4.2-P1 <<>> +trace @80.175.52.2 www.ukisp.com
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
---------------------------------------------------------------------
blizzard:~ # dig +trace @80.175.48.66 www.ukisp.com
; <<>> DiG 9.4.2-P1 <<>> +trace @80.175.48.66 www.ukisp.com
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reachedASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I figured as much, but figured it wouldn't hurt getting a second opinion.
For the record, the Linux DNS server in question does have a firewall installed on it, but I know for a fact that I am not filtering DNS traffic from the URL in question.
Also, as a final nail in the coffin, I activated DNS on a Win2K3 box behind the Linux box and tried to use it to query the remote site. I get the same response. So the failure has nothing to do with Linux vs. Windows. It has to be based on my IP address.
Thanks for responses.
K
For the record, the Linux DNS server in question does have a firewall installed on it, but I know for a fact that I am not filtering DNS traffic from the URL in question.
Also, as a final nail in the coffin, I activated DNS on a Win2K3 box behind the Linux box and tried to use it to query the remote site. I get the same response. So the failure has nothing to do with Linux vs. Windows. It has to be based on my IP address.
Thanks for responses.
K
Try:
ping 80.175.52.2
ping 80.175.48.66
If they are responding, try the following on the linux box:
dig +trace @localhost www.ukisp.com
dig +trace @80.175.52.2 www.ukisp.com
dig +trace @80.175.48.66 www.ukisp.com
Please post the output.