Bind not resolving some domain names

Discussion in 'Installation/Configuration' started by icemannz, Jul 13, 2010.

  1. icemannz

    icemannz New Member

    Hi all, I have setup the ISPConfig3 on Debian by following the guide.
    The server is primarily a DNS server and I have setup Bind.
    It is all up and running and resolves both local and remote domain names ok.

    But there are a couple of domian names that it will not resolve.
    For eg:
    ns2:~# dig @localhost www.bridgebase.com

    ; <<>> DiG 9.5.1-P3 <<>> @localhost www.bridgebase.com
    ; (2 servers found)
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached

    And yet when I querry another external name server for the same domian name it works correctly.
    I don't understand why it is only failing for a couple of domain names.

    Here is the 2nd domain name that fails:
    ns2:~# dig @localhost www.rabobank.com.au

    ; <<>> DiG 9.5.1-P3 <<>> @localhost www.rabobank.com.au
    ; (2 servers found)
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached

    Any help would be appreciated.
     
  2. till

    till Super Moderator

    1) Are these domains (that fail) locally configured on your server?
    2) Does a query like "dig @localhost www.google.com" work?
     
  3. icemannz

    icemannz New Member

    Hi Till,
    No these are remote domains that I have nothing to do with.
    If I do a dig "@localhost www.google.com" - it works perfectly.
    And any other domain works correctly to.

    It is only these 2 domain names that fail.
     
  4. matty

    matty New Member

    I've seen weird stuff like that before. It often comes down to some network issue between your server and one of the resolving name servers. Some possibilities could be firewalling, routing, & bogons.

    One simple firewalling mistake is that some network administrators only allow port 53/UDP through, but not 53/TCP. The latter is needed when the reply is too large (and comes back truncated), it will be re-requested via TCP, and so the request fails. The other, bogons, is when the network admin blocks bogons, but hasn't updated the list when new IP ranges are activated.

    From your nameserver, try "dig www.bridgebase.com +trace" and see if you can see where things fail. That might help you track down any issues.
     
  5. falko

    falko Super Moderator

    Can you post the bridgebase.com zone file?
     
  6. icemannz

    icemannz New Member

    Hi all,
    as perviously mentioned the bridgebase.com domain name is not mine, it is just a domain on the internet that my name server cannot resolve.

    Anyway I found that if I go to the options in Bind and put in a couple of DNS forwarders from a local ISP, then it all works.
    oviously it getting the correct address from the forwarders and for now I can live with that.

    I think that Matty is on the right track as when I do a traceroute to www.bridgebase.com
    I get a lot of * * * * and the reply takes a long time. So I believe there may be some route issue somewhere that is causing the issues.

    eg:
    traceroute to www.bridgebase.com. (70.84.167.229), 30 hops max, 40 byte packets
    1 10.50.0.254 (10.50.0.254) 0.290 ms 0.221 ms 0.208 ms
    2 x.x.x.x (x.x.x.x) 2.118 ms 2.036 ms 2.019 ms
    3 73.27.69.111.dynamic.snap.net.nz (111.69.27.73) 1.640 ms 1.588 ms 1.542 ms
    4 g0-1-0-969.icore2.tspn.telstraclear.net (203.98.4.25) 44.816 ms 44.757 ms 44.702 ms
    5 203.167.233.10 (203.167.233.10) 44.683 ms 44.656 ms 44.604 ms
    6 i-13-1-0.wil-core02.bx.reach.com (202.84.142.110) 168.637 ms 168.171 ms 168.017 ms
    7 i-1-1.eqla01.bi.reach.com (202.84.251.194) 167.948 ms 168.272 ms 168.169 ms
    8 gblx-peer.eqla01.pr.reach.com (134.159.63.202) 144.826 ms 144.812 ms 144.821 ms
    9 The-Planet.TenGigabitEthernet2-3.ar2.HOU1.gblx.net (64.214.196.58) 178.425 ms 178.425 ms 178.370 ms
    10 et5-4.ibr03.dllstx3.theplanet.com (70.87.253.49) 179.701 ms 179.660 ms 179.633 ms
    11 te3-5.dsr01.dllstx3.theplanet.com (70.87.253.86) 185.946 ms 185.902 ms te7-1.dsr01.dllstx3.theplanet.com (70.87.253.2) 184.649 ms
    12 te3-3.dsr02.dllstx2.theplanet.com (70.87.253.126) 184.623 ms 42.ff.5746.static.theplanet.com (70.87.255.66) 179.578 ms te1-3.dsr02.dllstx2.theplanet.com (70.87.253.122) 180.159 ms
    13 te1-1.car09.dllstx6.theplanet.com (70.87.254.202) 179.751 ms te1-2.car09.dllstx6.theplanet.com (70.87.254.206) 180.637 ms 180.557 ms
    14 * * *
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    27 * * *
    28 * * *
    29 * * *
    30 * * *

    dig www.bridgebase.com +trace

    ; <<>> DiG 9.5.1-P3 <<>> www.bridgebase.com +trace
    ;; global options: printcmd
    . 44845 IN NS l.root-servers.net.
    . 44845 IN NS a.root-servers.net.
    . 44845 IN NS e.root-servers.net.
    . 44845 IN NS m.root-servers.net.
    . 44845 IN NS g.root-servers.net.
    . 44845 IN NS c.root-servers.net.
    . 44845 IN NS b.root-servers.net.
    . 44845 IN NS j.root-servers.net.
    . 44845 IN NS f.root-servers.net.
    . 44845 IN NS d.root-servers.net.
    . 44845 IN NS h.root-servers.net.
    . 44845 IN NS i.root-servers.net.
    . 44845 IN NS k.root-servers.net.
    ;; Received 288 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

    com. 172800 IN NS a.gtld-servers.net.
    com. 172800 IN NS b.gtld-servers.net.
    com. 172800 IN NS c.gtld-servers.net.
    com. 172800 IN NS d.gtld-servers.net.
    com. 172800 IN NS e.gtld-servers.net.
    com. 172800 IN NS f.gtld-servers.net.
    com. 172800 IN NS g.gtld-servers.net.
    com. 172800 IN NS h.gtld-servers.net.
    com. 172800 IN NS i.gtld-servers.net.
    com. 172800 IN NS j.gtld-servers.net.
    com. 172800 IN NS k.gtld-servers.net.
    com. 172800 IN NS l.gtld-servers.net.
    com. 172800 IN NS m.gtld-servers.net.
    ;; Received 499 bytes from 199.7.83.42#53(l.root-servers.net) in 150 ms

    bridgebase.com. 172800 IN NS ns1.theplanet.com.
    bridgebase.com. 172800 IN NS ns2.theplanet.com.
    ;; Received 114 bytes from 192.26.92.30#53(c.gtld-servers.net) in 223 ms

    ;; connection timed out; no servers could be reached
     
  7. dcy

    dcy New Member

    I don't think that is the problem (I also get the same asterisks (ie: filtered icmp)), but the query against my bind works correctly.

    Here is how the result of the above query look on my server:
    Code:
    ; <<>> DiG 9.5.1-P2.1 <<>> A www.bridgebase.com +trace
    ;; global options:  printcmd
    .                       219603  IN      NS      c.root-servers.net.
    .                       219603  IN      NS      g.root-servers.net.
    .                       219603  IN      NS      f.root-servers.net.
    .                       219603  IN      NS      m.root-servers.net.
    .                       219603  IN      NS      b.root-servers.net.
    .                       219603  IN      NS      d.root-servers.net.
    .                       219603  IN      NS      i.root-servers.net.
    .                       219603  IN      NS      j.root-servers.net.
    .                       219603  IN      NS      h.root-servers.net.
    .                       219603  IN      NS      a.root-servers.net.
    .                       219603  IN      NS      e.root-servers.net.
    .                       219603  IN      NS      k.root-servers.net.
    .                       219603  IN      NS      l.root-servers.net.
    ;; Received 512 bytes from 172.31.1.1#53(172.31.1.1) in 0 ms
    
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    ;; Received 499 bytes from 128.63.2.53#53(h.root-servers.net) in 117 ms
    
    bridgebase.com.         172800  IN      NS      ns1.theplanet.com.
    bridgebase.com.         172800  IN      NS      ns2.theplanet.com.
    ;; Received 114 bytes from 192.26.92.30#53(c.gtld-servers.net) in 104 ms
    
    www.bridgebase.com.     86400   IN      A       70.84.167.229
    bridgebase.com.         86400   IN      NS      ns1.theplanet.com.
    bridgebase.com.         86400   IN      NS      ns2.theplanet.com.
    ;; Received 130 bytes from 207.218.247.135#53(ns1.theplanet.com) in 159 ms
    
    Can you try updating your root.hints file?

    First find out your bind datadir (typically /etc/bind) and open your named.conf file.

    Check the file for the following sections:
    Code:
    options {
            directory "[B]/etc/namedb[/B]";
    
    and
    Code:
    zone "." {
            type hint;
            file "[B]root.hints[/B]";
    };
    So for me my root.hints file is in /etc/namedb/root.hints

    Next make a backup of the existing hint file - so cp /etc/namedb/root.hints /etc/namedb/root.hints.backup.

    And finally update the root.hints file:
    Code:
    dig +bufsize=1200 +norec NS . @a.root-servers.net > /etc/namedb/root.hints
    Make a rndc reload and try testing the name resolution now.

    D.
     
  8. matty

    matty New Member

    OK, that pretty much means you can't talk DNS to ns1 & ns2.theplanet.com. I guess a dig +trace to the other domain would be similar. I had a quick look at the IPs for theplanet nameservers and they don't appear to have been bogons, so it's a good chance of 53/TCP filtering or a routing issue. Try something like "dig www.bridgebase.com +notcp +trace" and see what shakes out.

    Kind of a shame to have to use forwarders as it leaves you at the mercy of the upstream DNS admin. It's like buying your own dog and then getting your neighbour's dog to do the barking. :p
     
  9. dcy

    dcy New Member

    Just out of interest. Can you try running

    Code:
    dig NS theplanet.com @c.gtld-servers.net
    please?

    D.
     

Share This Page