Date: Mon, 15 Dec 2014 20:25:56 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Marcelo Gondim <gondim@bsdinfo.com.br> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: DNS resolution problem Message-ID: <CAN6yY1sRRpgJiimiD--SnEzUaP24ujpcNKmxib5PO58mKm6mcw@mail.gmail.com> In-Reply-To: <548F2250.3010507@bsdinfo.com.br> References: <548C3072.10303@bsdinfo.com.br> <CAN6yY1tt-mr5pCLQ8p-S207jC_DB0vQ13Q6j8vovTxupSnJ1zQ@mail.gmail.com> <548F2250.3010507@bsdinfo.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 15, 2014 at 10:02 AM, Marcelo Gondim <gondim@bsdinfo.com.br> wrote: > Hi Kevin, > > On 13/12/2014 23:44, Kevin Oberman wrote: > >> On Sat, Dec 13, 2014 at 4:26 AM, Marcelo Gondim <gondim@bsdinfo.com.br> >> wrote: >> >> Dear, >>> >>> I'm having trouble resolving domain name freebsd.org. The portsnap >>> server >>> works correctly but the pkg audit -F does not work and can not even >>> access >>> the site according to the following tests: >>> >>> # host ec2-sa-east-1.portsnap.freebsd.org >>> ec2-sa-east-1.portsnap.freebsd.org has address 177.71.188.240 >>> >>> # host vuxml.freebsd.org >>> Host vuxml.freebsd.org not found: 3(NXDOMAIN) >>> >>> # host -a freebsd.org >>> Trying "freebsd.org" >>> Trying "freebsd.org.intnet.com.br" >>> Host freebsd.org not found: 3(NXDOMAIN) >>> Received 86 bytes from ::1#53 in 0 ms >>> >>> # host www.freebsd.org >>> ;; connection timed out; no servers could be reached >>> >>> Only the first address I'm having name resolution >>> (ec2-sa-east-1.portsnap. >>> freebsd.org). >>> >>> My block IP: 186.193.48.0/20 >>> >>> One could check for any restrictions on our IP block? >>> >>> I think a bit of DNS debugging is in order. >>> >> I could resolve all of the nodes you listed, but there are some potential >> issues I see. First, when looking up hostname with host(1), always >> terminate the name: >> >>> host -a freebsd.org. >>> >> Trying "freebsd.org" >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24171 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;freebsd.org. IN TYPE255 >> >> ;; ANSWER SECTION: >> freebsd.org. 534 IN AAAA 2001:1900:2254:206a::50:0 >> freebsd.org. 534 IN MX 10 mx1.freebsd.org. >> freebsd.org. 534 IN A 8.8.178.110 >> >> But "ANY" queries are fuzzy things at best as the first resolver you hit >> will just return whatever is cached and not try getting an authoritative >> response. >> >> www.freebsd.org and vuxml.freebsd.org are CNAME entries pointing to the >> same place, 8.8.178.110. This is in FreeBSD's own address space from Yahoo >> nd is probably in the mail FreeBSD cluster. I was a bit surprised to find >> that is is an Amazon AWS address, so the portsnap files are actually >> coming >> from a totally different place. >> >> DNS is provided by ISC-SNS. 72.52.71.1, 38.103.2.1 and 63.243.194.1. Try >> pinging these. Since BIND, the second oldest and most popular DNS server >> is >> written and supported by ISA, I would think that it is well run. Try >> pinging and tracing to these addresses. All of them are in very dispersed >> locations on different provider backbones. (Cogent, Hurricane Electric, >> and >> ISC, itself. You might try directing queries to each system to see if one >> fails when other succeed. Use "dig @servr-addr host". >> > Other tests: > > # ping -c 5 NS1.ISC-SNS.NET > PING ns1.isc-sns.net (72.52.71.1): 56 data bytes > 64 bytes from 72.52.71.1: icmp_seq=0 ttl=56 time=144.327 ms > 64 bytes from 72.52.71.1: icmp_seq=1 ttl=56 time=145.445 ms > 64 bytes from 72.52.71.1: icmp_seq=2 ttl=56 time=144.999 ms > 64 bytes from 72.52.71.1: icmp_seq=3 ttl=56 time=146.775 ms > 64 bytes from 72.52.71.1: icmp_seq=4 ttl=56 time=145.207 ms > > --- ns1.isc-sns.net ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 144.327/145.351/146.775/0.804 ms > > # ping -c 5 NS2.ISC-SNS.COM > PING ns2.isc-sns.com (38.103.2.1): 56 data bytes > 64 bytes from 38.103.2.1: icmp_seq=0 ttl=54 time=133.839 ms > 64 bytes from 38.103.2.1: icmp_seq=1 ttl=54 time=133.831 ms > 64 bytes from 38.103.2.1: icmp_seq=2 ttl=54 time=133.972 ms > 64 bytes from 38.103.2.1: icmp_seq=3 ttl=54 time=133.957 ms > 64 bytes from 38.103.2.1: icmp_seq=4 ttl=54 time=133.851 ms > > --- ns2.isc-sns.com ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 133.831/133.890/133.972/0.061 ms > > # ping -c 5 NS3.ISC-SNS.INFO > PING ns3.isc-sns.info (63.243.194.1): 56 data bytes > 64 bytes from 63.243.194.1: icmp_seq=0 ttl=59 time=185.755 ms > 64 bytes from 63.243.194.1: icmp_seq=1 ttl=59 time=185.790 ms > 64 bytes from 63.243.194.1: icmp_seq=2 ttl=59 time=185.866 ms > 64 bytes from 63.243.194.1: icmp_seq=3 ttl=59 time=185.931 ms > 64 bytes from 63.243.194.1: icmp_seq=4 ttl=59 time=185.988 ms > > --- ns3.isc-sns.info ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 185.755/185.866/185.988/0.086 ms > > # host -a freebsd.org 72.52.71.1 > Trying "freebsd.org" > ;; Truncated, retrying in TCP mode. > Using domain server: > Name: 72.52.71.1 > Address: 72.52.71.1#53 > Aliases: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15306 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 7 > > ;; QUESTION SECTION: > ;freebsd.org. IN TYPE255 > > ;; ANSWER SECTION: > freebsd.org. 3600 IN SOA ns0.freebsd.org. > hostmaster.freebsd.org. 2014121517 3600 900 604800 600 > freebsd.org. 3600 IN RRSIG SOA 8 2 3600 > 20141229134836 20141215162412 22689 freebsd.org. Li3FZ22mk+j4FbIRp7rQD/QS/ > m3UCFvMDqdUfdLBOPEpOiCTLue+5xFhtr6mLwJ6mYzbsATM3rHN/O+ > B1VF3VzytnOOYh0QvoqpjxwGcUWNAkAlOCFDrqaS5wp9PfWOBJ+1q+xbkgC/ > iwBmasqb06G1WpcvpRq9kYoZUum8RxAGuTQIYNhoDxUjU5r6yiTvWy3sCmpu02F846BcJ6+ > LBKhsd8OuOJYplYhjFOfszl8uQmUtyCxCDm9udsWHbNyVMPU/ > DeVPKSlBS5md1l07GcG2QDepH4ChxQZnejmhaXgi/6+680v7Ufgh51xb5QiU2Xg7ATwplvor2 > VwJphSwMAw== > freebsd.org. 3600 IN RRSIG DNSKEY 8 2 3600 > 20141228141417 20141214022412 32659 freebsd.org. > Cf1nX8IQROLxXzL9WTDJVRdHuGN344DnIzKrshoG9sbYkP/ > DTDMMt9mpDCUUz0HK0FgxhHw45oepm6+KMbydzZDWhK2+G/ > LPgyK5nzsxnaJc9EgHpg6OKCQw7HHDirfe8lr0es0Ab4mPicqMKg31r7272S > EKJ6HGoezzW5wtokTJpegAGQhW+b8ZvpBqRcj3jYIU9HvBOJtn/ZNrXMg2mUP/ > tbkxDcBy7ssMNmy0s0GKu6Daqq1VSK0BKvEIPc/sUC+mKkUo259FkI2Lnfml3vsw+aV0behgp/ > VpoxRfotcNjFNJGhYGF0B0iwTQIdBnfMWlNXsQBnoQ8b7W+OLiRw== > freebsd.org. 0 IN RRSIG NSEC3PARAM 8 2 0 > 20141219185954 20141206012400 22689 freebsd.org. > ViAARy2wfDAUXV7AEzQFbge0hCJSU1/vusbRoWkaM1EVkOQbaCiSQ1PDanZmR > 4yQncdo2M3d4gJtIHgvZ5xzeo0/2AhlSVw/GAtWjJkqI/ > 8rJZ2ZPtoXy6SJBcNAcGKTx74EjFN/TIxDIEXKNss2BNz3y57olnknvqgVpN > jGu8jzc59aDww4+cgh9v7zuMG1YAncCnHwTIaxtsXN/K0jjKx9CtkVwJLJCRd4bthKyrPkBNM > Z3cDOX27MlQFC7461WsPkNxsxFYfUWO4g8f41UUYzPX2c59tKm+ > qJB7s56KLihZIuBjTZnROyTkvFFcdG3ii9dzFqbEN8PMwJIS7bzw== > freebsd.org. 600 IN RRSIG NS 8 2 600 20141221172508 > 20141207182403 22689 freebsd.org. ny0XoD9xYbSX5nHbDnl5iCIofSBlkw > B8dPjeUcmKfyylrpiPVDkXfl+xfacqJj7DRvf5gF8fLhe0lwTu3cLeV > XGf9L3UfD5N5sd61SxLLXy8gDHtjCQWS5/VYE4rIn6/leoqRD5YVPGJ1OWRBHSnVIjdib/ > R7XLLz6v8CMT4l+P42tDf7z56hjc3BNplcD/KjFfrEmoBlRIwvs9XaR3i+Qvl/ > 0uKnGgeaXVvRMgCthC4J4oZKsBt0hpAhwy3ocOOGhp1uLV+/sBUd4ZMi0HG0G+OZbelVt01LE/ > 7Kp5+4TA7i5Ubla8/kEcx7iKjqimnTb+0GF7+WrZbVe3MrTi9Jg== > freebsd.org. 600 IN RRSIG TXT 8 2 600 > 20141221200324 20141207122402 22689 freebsd.org. uf81IQ/nUDeVhLtUw/ > g4ILoW3Pq1rl9ub8p4MBkuGxhpmZSpm1phmJ47xuDkEg137SwqdP/mIx/ > EIRZ1Oah5Hx1e0278qJSX1M9DMwscCjXl3uPTqgYfL/M9k15U3OJ3i9yI4Stsp6ORG3Rj4bYY > Yz3mzlSNV64ZOnkW9JfPu/GjEq21EXgF9SEABJr21dwEUeCpmng15MHpmpTIJIwkgdH4DC7Dh/ > glQ6yMDEcf6I4x63hmj4CWpChs18W94esshEfZVTeiKV7xFPvgrnsbrO660J > vua7XR3R4mqr9sqv2mXKJICNobBNx/IyAxw9vw5dE7ohFptPEH7DUDN/h4jw== > freebsd.org. 600 IN RRSIG MX 8 2 600 20141222062628 > 20141208062403 22689 freebsd.org. exRPLUyRmbRbxQEYu989+ > agnNMIjXl7PsfPGW8xaoq2Dv0/GbOGnAPlSALg3MBPz8R+pL3MWiaexyi/ > 1qxUF6n0tItn7hQhUla4jri7rMFzMUcvePPr6t5sF/MWkIC+15O5QlIUx/ > Bi0zUnUFPSXCKH3MWr0oqGNzzc3jSqsUlqBhQmZq3KCrSE62Tp3VDthFhZUS > Y29EAmmwnAlTxQR9ZX3eVEM5oJ5UrhFkBcMhv4jVtSN+OncYx4PQWHNk4DR9vY3FCVl48XqJ9i > vln9vHOOCqfzl5oaSXeE6rnbHwEKpOZX65l24nPuNtKVPajYEAroK4xMqCdkPW4Ov0tw3zA== > freebsd.org. 600 IN RRSIG A 8 2 600 20141221151124 > 20141207232403 22689 freebsd.org. VPOX9ep1tYDF7dFaY37zXAMHwd+ > ySWAeSAMa45btmNzCD/F1pkUi9wH57LPE3jtqeHF4coKfZCvz > BED5KWfyYMDZsWOaTNA2Hxh4h+WRr4qK1FxeilvIDLYs1/ynGCcaAfTM8T7OwAueWx/ > x78bshaw8mkI8Pp38SpkHa0sL5T4/L9NP8NOUOP5I6zv2xFtqkcQBSWZLFE > lGHn3JBo3ZyGa9lUsjnNfNWwNCLcDbXG7aQCW88v+mxbnIq2lHogqOsYXQHnatpK7qV27c2 > XNB9ZuGmWq6zLFUFOXH1pDLf0ftIg70Evy+88RomIFLo9e9qNYI9WJk7Z51gL7ygA/YSg== > freebsd.org. 600 IN RRSIG AAAA 8 2 600 > 20141222031959 20141208092403 22689 freebsd.org. U88G56Mlmb6l4xv+G+ > IdvLAQQ8g5quIvKVjBSTcC5QdO52C/kUGcoo2rE+phXqXK7j7vgcfEuSI2qP3FDCG2K1VU > n19+oCHA/LVzx4sNGsVlqXDfieE7c48vVYeukalh7cCXQ53dGo/4Tpps3i/4IUtw7Wi/ > NjykJoi8PbzgqR7mrkcKD83l18XR0JNILvj1EQwuTZYIICcd+ > yfs2WU5IjXIv5ik3hVkxQA5GkJse+EfAvBuJRPkZ8yknRM93tRw95gBc6ntB9+ > 3pqZ9QNPKRUl5i7HoBbkSlAr3iGJiBAOXAX4V3PGNG+tXHqbEVPn1DzsXojJSFUJGaXHA9VFS > pw== > freebsd.org. 3600 IN DNSKEY 256 3 8 > AwEAAc48eD98O70LmwN5RQ5i1vaP9BURkyvOiVNbztyVOCbPsZMIxDVZULFG > LeEKmUR9UbutNoizdVi+XDGXgbfvQTZczkCUJNvBCxVglssyxn > MMDjxf4p6TfuTTAW7EK6BDGVGkU3yBbfFYRYDeRep3g2CHH5/ > juU6MGMDElYYAhULICw3QRJjzMJFezvV0D1Mql53otXJ2J0BVhNBbF/ > 1HSYRhVrFCSnpo1OORbNEuCudBr5WDBsZ3TdFehf74fYQP8XZEKqwirUvGcr > lvDCPncPFtoLj3BWNvecsAwBrRbVzwTMVZHV95SXSq5VzjiXsf4U/UMQ5xOE5t4370msqPScM= > freebsd.org. 3600 IN DNSKEY 257 3 8 > AwEAAd1zS5J5X1kQqoufYTOGrPaUnlgBxllrFE1rGLJ3qDWEEETjszjal7Ie > JMmn/VhC6a2txXeob5is1/8Z6KWxpAhqIiw+l9JmD9sD/dOI9Yyk/AIyhSPguqV9+ > zBkfrp9I0BUuwxO/Rs+VgnqwQquyDGWRFQTtckPkptHKMTt44F8VyGcg+ > WVHOAXAsdGAC2SK1MVbSnMnRvZjYRHS3qc8at/h7soSib9TGNG9i+ > UD2mZyefcUUxsSll7TvUURA1dW13UP3U4/JlUM0qwA8Lk7pho/Or61Sci+yiqKijAdHu+ > dY3yGESkZ2rm4PBYYbm44ftefYXX5Hd5w20MXe5Lym8= > freebsd.org. 3600 IN DNSKEY 256 3 8 > AwEAAdCGUpcdxSMYspciWP5aJa3f0Lr5oW1BkSnSGe4TO4+HVy8f+40q7uHtpaI7MMl5+ > 2HAtjxgaZIVGBM3zqiCvW3KXjv+TRKLIBJTxStYu9ped0JWCqAXfYIhD5 > Tw2uvNKU0CLTJP9PQuEz8K5Yd7Zsy6N49/zAbovyhL5Ciax+BPcA8FTZ6io+m1Gw43+ > i2UOAs5yAeWsjaYsCwV4Ye7FdPwuQ5z/MMszr9XwBzFJdlQyJFpyAPNcdAipln > SWAg7oo8t221+sRsY/ZMOgi4WeIZAPM71Fq0LEi+GUxgjUdYs7MtehsmyRgZjum3AJyJfa > f2gZRQH5Dw0aIR/G1lUwEc= > freebsd.org. 0 IN NSEC3PARAM 1 0 100 > 10238ec3108d6756 > freebsd.org. 600 IN NS ns3.isc-sns.info. > freebsd.org. 600 IN NS ns2.isc-sns.com. > freebsd.org. 600 IN NS ns1.isc-sns.net. > freebsd.org. 600 IN TXT "v=spf1 redirect=_ > spf.freebsd.org" > freebsd.org. 600 IN MX 10 mx1.freebsd.org. > freebsd.org. 600 IN A 8.8.178.110 > freebsd.org. 600 IN AAAA 2001:1900:2254:206a::50:0 > > ;; ADDITIONAL SECTION: > ns1.isc-sns.net. 3600 IN A 72.52.71.1 > ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1 > ns2.isc-sns.com. 3600 IN A 38.103.2.1 > ns3.isc-sns.info. 3600 IN A 63.243.194.1 > ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1 > mx1.freebsd.org. 600 IN A 8.8.178.115 > mx1.freebsd.org. 600 IN AAAA 2001:1900:2254:206a::19:1 > > Received 3670 bytes from 72.52.71.1#53 in 298 ms > So this server did return the requested information. You should really use dig(1) for debugging. It provides more information like whether the AA bit is set, DNSSEC data, etc. I am still unsure why you are issuing ANY queries, though. If you want details, use "host -v". Since you are querying an authoritative resolver, you are not dependent on what is in cache, but the UDP reply is over 2K that is truncated and the query is re-issued via TCP. This means that the behavior is entirely different than a query for just address information. I would do: # dig @72.52.71.1 freebsd.org. # dig @38.103.2.1 freebsd.org. # dig @8.8.178.115 freebsd.org. Once your resolvers have cached the NS records, they should directly query the servers shown and not walk the full tree. From the NXDOMAIN replies, it looks like some system is lying about things. I'm going to guess that system is incorrectly responding with NXDOMAIN when some other error is occurring. That system is probably close to you. Try: # dig freebsd.org. That will do a standard query to what ever recursive resolver you normally use. It will, hopefully, point at the culprit. It is also possible that it is a firewall issue, where some security software is sending a NXDOMAIN server to prevent further queries. This is only a guess, but there are a limited number of places where the problem might be generated and experience tells me it is almost certainly close to your system. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1sRRpgJiimiD--SnEzUaP24ujpcNKmxib5PO58mKm6mcw>