Date: Tue, 16 Dec 2014 10:47:36 -0200 From: Marcelo Gondim <gondim@bsdinfo.com.br> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: DNS resolution problem Message-ID: <549029E8.2020508@bsdinfo.com.br> In-Reply-To: <CAN6yY1sRRpgJiimiD--SnEzUaP24ujpcNKmxib5PO58mKm6mcw@mail.gmail.com> References: <548C3072.10303@bsdinfo.com.br> <CAN6yY1tt-mr5pCLQ8p-S207jC_DB0vQ13Q6j8vovTxupSnJ1zQ@mail.gmail.com> <548F2250.3010507@bsdinfo.com.br> <CAN6yY1sRRpgJiimiD--SnEzUaP24ujpcNKmxib5PO58mKm6mcw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16/12/2014 02:25, Kevin Oberman wrote: > On Mon, Dec 15, 2014 at 10:02 AM, Marcelo Gondim > <gondim@bsdinfo.com.br <mailto:gondim@bsdinfo.com.br>> wrote: > > Hi Kevin, > > On 13/12/2014 23:44, Kevin Oberman wrote: > > On Sat, Dec 13, 2014 at 4:26 AM, Marcelo Gondim > <gondim@bsdinfo.com.br <mailto:gondim@bsdinfo.com.br>> > wrote: > > Dear, > > I'm having trouble resolving domain name freebsd.org > <http://freebsd.org>. The portsnap server > works correctly but the pkg audit -F does not work and can > not even access > the site according to the following tests: > > # host ec2-sa-east-1.portsnap.freebsd.org > <http://ec2-sa-east-1.portsnap.freebsd.org>; > ec2-sa-east-1.portsnap.freebsd.org > <http://ec2-sa-east-1.portsnap.freebsd.org>; has address > 177.71.188.240 > > # host vuxml.freebsd.org <http://vuxml.freebsd.org>; > Host vuxml.freebsd.org <http://vuxml.freebsd.org>; not > found: 3(NXDOMAIN) > > # host -a freebsd.org <http://freebsd.org>; > Trying "freebsd.org <http://freebsd.org>" > Trying "freebsd.org.intnet.com.br > <http://freebsd.org.intnet.com.br>" > Host freebsd.org <http://freebsd.org>; not found: 3(NXDOMAIN) > Received 86 bytes from ::1#53 in 0 ms > > # host www.freebsd.org <http://www.freebsd.org>; > ;; connection timed out; no servers could be reached > > Only the first address I'm having name resolution > (ec2-sa-east-1.portsnap. > freebsd.org <http://freebsd.org>). > > My block IP: 186.193.48.0/20 <http://186.193.48.0/20>; > > One could check for any restrictions on our IP block? > > I think a bit of DNS debugging is in order. > > I could resolve all of the nodes you listed, but there are > some potential > issues I see. First, when looking up hostname with host(1), > always > terminate the name: > > host -a freebsd.org <http://freebsd.org>. > > Trying "freebsd.org <http://freebsd.org>" > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24171 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;freebsd.org <http://freebsd.org>. IN TYPE255 > > ;; ANSWER SECTION: > freebsd.org <http://freebsd.org>. 534 IN AAAA > 2001:1900:2254:206a::50:0 > freebsd.org <http://freebsd.org>. 534 IN MX 10 > mx1.freebsd.org <http://mx1.freebsd.org>. > freebsd.org <http://freebsd.org>. 534 IN A > 8.8.178.110 > > But "ANY" queries are fuzzy things at best as the first > resolver you hit > will just return whatever is cached and not try getting an > authoritative > response. > > www.freebsd.org <http://www.freebsd.org>; and vuxml.freebsd.org > <http://vuxml.freebsd.org>; are CNAME entries pointing to the > same place, 8.8.178.110. This is in FreeBSD's own address > space from Yahoo > nd is probably in the mail FreeBSD cluster. I was a bit > surprised to find > that is is an Amazon AWS address, so the portsnap files are > actually coming > from a totally different place. > > DNS is provided by ISC-SNS. 72.52.71.1, 38.103.2.1 and > 63.243.194.1. Try > pinging these. Since BIND, the second oldest and most popular > DNS server is > written and supported by ISA, I would think that it is well > run. Try > pinging and tracing to these addresses. All of them are in > very dispersed > locations on different provider backbones. (Cogent, Hurricane > Electric, and > ISC, itself. You might try directing queries to each system to > see if one > fails when other succeed. Use "dig @servr-addr host". > > Other tests: > > # ping -c 5 NS1.ISC-SNS.NET <http://NS1.ISC-SNS.NET>; > PING ns1.isc-sns.net <http://ns1.isc-sns.net>; (72.52.71.1): 56 > data bytes > 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=0 ttl=56 > time=144.327 ms > 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=1 ttl=56 > time=145.445 ms > 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=2 ttl=56 > time=144.999 ms > 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=3 ttl=56 > time=146.775 ms > 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=4 ttl=56 > time=145.207 ms > > --- ns1.isc-sns.net <http://ns1.isc-sns.net>; ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 144.327/145.351/146.775/0.804 ms > > # ping -c 5 NS2.ISC-SNS.COM <http://NS2.ISC-SNS.COM>; > PING ns2.isc-sns.com <http://ns2.isc-sns.com>; (38.103.2.1): 56 > data bytes > 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=0 ttl=54 > time=133.839 ms > 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=1 ttl=54 > time=133.831 ms > 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=2 ttl=54 > time=133.972 ms > 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=3 ttl=54 > time=133.957 ms > 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=4 ttl=54 > time=133.851 ms > > --- ns2.isc-sns.com <http://ns2.isc-sns.com>; ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 133.831/133.890/133.972/0.061 ms > > # ping -c 5 NS3.ISC-SNS.INFO <http://NS3.ISC-SNS.INFO>; > PING ns3.isc-sns.info <http://ns3.isc-sns.info>; (63.243.194.1): 56 > data bytes > 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=0 > ttl=59 time=185.755 ms > 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=1 > ttl=59 time=185.790 ms > 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=2 > ttl=59 time=185.866 ms > 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=3 > ttl=59 time=185.931 ms > 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=4 > ttl=59 time=185.988 ms > > --- ns3.isc-sns.info <http://ns3.isc-sns.info>; ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 185.755/185.866/185.988/0.086 ms > > # host -a freebsd.org <http://freebsd.org>; 72.52.71.1 > Trying "freebsd.org <http://freebsd.org>" > ;; Truncated, retrying in TCP mode. > Using domain server: > Name: 72.52.71.1 > Address: 72.52.71.1#53 > Aliases: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15306 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 7 > > ;; QUESTION SECTION: > ;freebsd.org <http://freebsd.org>. IN TYPE255 > > ;; ANSWER SECTION: > freebsd.org <http://freebsd.org>. 3600 IN SOA > ns0.freebsd.org <http://ns0.freebsd.org>. hostmaster.freebsd.org > <http://hostmaster.freebsd.org>. 2014121517 <tel:2014121517> 3600 > 900 604800 600 > freebsd.org <http://freebsd.org>. 3600 IN RRSIG > SOA 8 2 3600 20141229134836 20141215162412 22689 freebsd.org > <http://freebsd.org>. > Li3FZ22mk+j4FbIRp7rQD/QS/m3UCFvMDqdUfdLBOPEpOiCTLue+5xFhtr6mLwJ6mYzbsATM3rHN/O+B1VF3VzytnOOYh0QvoqpjxwGcUWNAkAlOCFDrqaS5wp9PfWOBJ+1q+xbkgC/iwBmasqb06G1WpcvpRq9kYoZUum8RxAGuTQIYNhoDxUjU5r6yiTvWy3sCmpu02F846BcJ6+LBKhsd8OuOJYplYhjFOfszl8uQmUtyCxCDm9udsWHbNyVMPU/DeVPKSlBS5md1l07GcG2QDepH4ChxQZnejmhaXgi/6+680v7Ufgh51xb5QiU2Xg7ATwplvor2VwJphSwMAw== > freebsd.org <http://freebsd.org>. 3600 IN RRSIG > DNSKEY 8 2 3600 20141228141417 20141214022412 32659 freebsd.org > <http://freebsd.org>. > Cf1nX8IQROLxXzL9WTDJVRdHuGN344DnIzKrshoG9sbYkP/DTDMMt9mpDCUUz0HK0FgxhHw45oepm6+KMbydzZDWhK2+G/LPgyK5nzsxnaJc9EgHpg6OKCQw7HHDirfe8lr0es0Ab4mPicqMKg31r7272SEKJ6HGoezzW5wtokTJpegAGQhW+b8ZvpBqRcj3jYIU9HvBOJtn/ZNrXMg2mUP/tbkxDcBy7ssMNmy0s0GKu6Daqq1VSK0BKvEIPc/sUC+mKkUo259FkI2Lnfml3vsw+aV0behgp/VpoxRfotcNjFNJGhYGF0B0iwTQIdBnfMWlNXsQBnoQ8b7W+OLiRw== > freebsd.org <http://freebsd.org>. 0 IN RRSIG > NSEC3PARAM 8 2 0 20141219185954 20141206012400 22689 freebsd.org > <http://freebsd.org>. > ViAARy2wfDAUXV7AEzQFbge0hCJSU1/vusbRoWkaM1EVkOQbaCiSQ1PDanZmR4yQncdo2M3d4gJtIHgvZ5xzeo0/2AhlSVw/GAtWjJkqI/8rJZ2ZPtoXy6SJBcNAcGKTx74EjFN/TIxDIEXKNss2BNz3y57olnknvqgVpNjGu8jzc59aDww4+cgh9v7zuMG1YAncCnHwTIaxtsXN/K0jjKx9CtkVwJLJCRd4bthKyrPkBNMZ3cDOX27MlQFC7461WsPkNxsxFYfUWO4g8f41UUYzPX2c59tKm+qJB7s56KLihZIuBjTZnROyTkvFFcdG3ii9dzFqbEN8PMwJIS7bzw== > freebsd.org <http://freebsd.org>. 600 IN RRSIG > NS 8 2 600 20141221172508 20141207182403 22689 freebsd.org > <http://freebsd.org>. > ny0XoD9xYbSX5nHbDnl5iCIofSBlkwB8dPjeUcmKfyylrpiPVDkXfl+xfacqJj7DRvf5gF8fLhe0lwTu3cLeVXGf9L3UfD5N5sd61SxLLXy8gDHtjCQWS5/VYE4rIn6/leoqRD5YVPGJ1OWRBHSnVIjdib/R7XLLz6v8CMT4l+P42tDf7z56hjc3BNplcD/KjFfrEmoBlRIwvs9XaR3i+Qvl/0uKnGgeaXVvRMgCthC4J4oZKsBt0hpAhwy3ocOOGhp1uLV+/sBUd4ZMi0HG0G+OZbelVt01LE/7Kp5+4TA7i5Ubla8/kEcx7iKjqimnTb+0GF7+WrZbVe3MrTi9Jg== > freebsd.org <http://freebsd.org>. 600 IN RRSIG > TXT 8 2 600 20141221200324 20141207122402 22689 freebsd.org > <http://freebsd.org>. > uf81IQ/nUDeVhLtUw/g4ILoW3Pq1rl9ub8p4MBkuGxhpmZSpm1phmJ47xuDkEg137SwqdP/mIx/EIRZ1Oah5Hx1e0278qJSX1M9DMwscCjXl3uPTqgYfL/M9k15U3OJ3i9yI4Stsp6ORG3Rj4bYYYz3mzlSNV64ZOnkW9JfPu/GjEq21EXgF9SEABJr21dwEUeCpmng15MHpmpTIJIwkgdH4DC7Dh/glQ6yMDEcf6I4x63hmj4CWpChs18W94esshEfZVTeiKV7xFPvgrnsbrO660Jvua7XR3R4mqr9sqv2mXKJICNobBNx/IyAxw9vw5dE7ohFptPEH7DUDN/h4jw== > freebsd.org <http://freebsd.org>. 600 IN RRSIG > MX 8 2 600 20141222062628 20141208062403 22689 freebsd.org > <http://freebsd.org>. > exRPLUyRmbRbxQEYu989+agnNMIjXl7PsfPGW8xaoq2Dv0/GbOGnAPlSALg3MBPz8R+pL3MWiaexyi/1qxUF6n0tItn7hQhUla4jri7rMFzMUcvePPr6t5sF/MWkIC+15O5QlIUx/Bi0zUnUFPSXCKH3MWr0oqGNzzc3jSqsUlqBhQmZq3KCrSE62Tp3VDthFhZUSY29EAmmwnAlTxQR9ZX3eVEM5oJ5UrhFkBcMhv4jVtSN+OncYx4PQWHNk4DR9vY3FCVl48XqJ9ivln9vHOOCqfzl5oaSXeE6rnbHwEKpOZX65l24nPuNtKVPajYEAroK4xMqCdkPW4Ov0tw3zA== > freebsd.org <http://freebsd.org>. 600 IN RRSIG > A 8 2 600 20141221151124 20141207232403 22689 freebsd.org > <http://freebsd.org>. > VPOX9ep1tYDF7dFaY37zXAMHwd+ySWAeSAMa45btmNzCD/F1pkUi9wH57LPE3jtqeHF4coKfZCvzBED5KWfyYMDZsWOaTNA2Hxh4h+WRr4qK1FxeilvIDLYs1/ynGCcaAfTM8T7OwAueWx/x78bshaw8mkI8Pp38SpkHa0sL5T4/L9NP8NOUOP5I6zv2xFtqkcQBSWZLFElGHn3JBo3ZyGa9lUsjnNfNWwNCLcDbXG7aQCW88v+mxbnIq2lHogqOsYXQHnatpK7qV27c2XNB9ZuGmWq6zLFUFOXH1pDLf0ftIg70Evy+88RomIFLo9e9qNYI9WJk7Z51gL7ygA/YSg== > freebsd.org <http://freebsd.org>. 600 IN RRSIG > AAAA 8 2 600 20141222031959 20141208092403 22689 freebsd.org > <http://freebsd.org>. > U88G56Mlmb6l4xv+G+IdvLAQQ8g5quIvKVjBSTcC5QdO52C/kUGcoo2rE+phXqXK7j7vgcfEuSI2qP3FDCG2K1VUn19+oCHA/LVzx4sNGsVlqXDfieE7c48vVYeukalh7cCXQ53dGo/4Tpps3i/4IUtw7Wi/NjykJoi8PbzgqR7mrkcKD83l18XR0JNILvj1EQwuTZYIICcd+yfs2WU5IjXIv5ik3hVkxQA5GkJse+EfAvBuJRPkZ8yknRM93tRw95gBc6ntB9+3pqZ9QNPKRUl5i7HoBbkSlAr3iGJiBAOXAX4V3PGNG+tXHqbEVPn1DzsXojJSFUJGaXHA9VFSpw== > freebsd.org <http://freebsd.org>. 3600 IN > DNSKEY 256 3 8 > AwEAAc48eD98O70LmwN5RQ5i1vaP9BURkyvOiVNbztyVOCbPsZMIxDVZULFGLeEKmUR9UbutNoizdVi+XDGXgbfvQTZczkCUJNvBCxVglssyxnMMDjxf4p6TfuTTAW7EK6BDGVGkU3yBbfFYRYDeRep3g2CHH5/juU6MGMDElYYAhULICw3QRJjzMJFezvV0D1Mql53otXJ2J0BVhNBbF/1HSYRhVrFCSnpo1OORbNEuCudBr5WDBsZ3TdFehf74fYQP8XZEKqwirUvGcrlvDCPncPFtoLj3BWNvecsAwBrRbVzwTMVZHV95SXSq5VzjiXsf4U/UMQ5xOE5t4370msqPScM= > freebsd.org <http://freebsd.org>. 3600 IN > DNSKEY 257 3 8 > AwEAAd1zS5J5X1kQqoufYTOGrPaUnlgBxllrFE1rGLJ3qDWEEETjszjal7IeJMmn/VhC6a2txXeob5is1/8Z6KWxpAhqIiw+l9JmD9sD/dOI9Yyk/AIyhSPguqV9+zBkfrp9I0BUuwxO/Rs+VgnqwQquyDGWRFQTtckPkptHKMTt44F8VyGcg+WVHOAXAsdGAC2SK1MVbSnMnRvZjYRHS3qc8at/h7soSib9TGNG9i+UD2mZyefcUUxsSll7TvUURA1dW13UP3U4/JlUM0qwA8Lk7pho/Or61Sci+yiqKijAdHu+dY3yGESkZ2rm4PBYYbm44ftefYXX5Hd5w20MXe5Lym8= > freebsd.org <http://freebsd.org>. 3600 IN > DNSKEY 256 3 8 > AwEAAdCGUpcdxSMYspciWP5aJa3f0Lr5oW1BkSnSGe4TO4+HVy8f+40q7uHtpaI7MMl5+2HAtjxgaZIVGBM3zqiCvW3KXjv+TRKLIBJTxStYu9ped0JWCqAXfYIhD5Tw2uvNKU0CLTJP9PQuEz8K5Yd7Zsy6N49/zAbovyhL5Ciax+BPcA8FTZ6io+m1Gw43+i2UOAs5yAeWsjaYsCwV4Ye7FdPwuQ5z/MMszr9XwBzFJdlQyJFpyAPNcdAiplnSWAg7oo8t221+sRsY/ZMOgi4WeIZAPM71Fq0LEi+GUxgjUdYs7MtehsmyRgZjum3AJyJfaf2gZRQH5Dw0aIR/G1lUwEc= > freebsd.org <http://freebsd.org>. 0 IN > NSEC3PARAM 1 0 100 10238ec3108d6756 > freebsd.org <http://freebsd.org>. 600 IN NS > ns3.isc-sns.info <http://ns3.isc-sns.info>. > freebsd.org <http://freebsd.org>. 600 IN NS > ns2.isc-sns.com <http://ns2.isc-sns.com>. > freebsd.org <http://freebsd.org>. 600 IN NS > ns1.isc-sns.net <http://ns1.isc-sns.net>. > freebsd.org <http://freebsd.org>. 600 IN TXT > "v=spf1 redirect=_spf.freebsd.org <http://spf.freebsd.org>" > freebsd.org <http://freebsd.org>. 600 IN MX > 10 mx1.freebsd.org <http://mx1.freebsd.org>. > freebsd.org <http://freebsd.org>. 600 IN A > 8.8.178.110 > freebsd.org <http://freebsd.org>. 600 IN AAAA > 2001:1900:2254:206a::50:0 > > ;; ADDITIONAL SECTION: > ns1.isc-sns.net <http://ns1.isc-sns.net>. 3600 IN A > 72.52.71.1 > ns1.isc-sns.net <http://ns1.isc-sns.net>. 3600 IN > AAAA 2001:470:1a::1 > ns2.isc-sns.com <http://ns2.isc-sns.com>. 3600 IN A > 38.103.2.1 > ns3.isc-sns.info <http://ns3.isc-sns.info>. 3600 IN > A 63.243.194.1 > ns3.isc-sns.info <http://ns3.isc-sns.info>. 3600 IN > AAAA 2001:5a0:10::1 > mx1.freebsd.org <http://mx1.freebsd.org>. 600 IN A > 8.8.178.115 > mx1.freebsd.org <http://mx1.freebsd.org>. 600 IN > AAAA 2001:1900:2254:206a::19:1 > > Received 3670 bytes from 72.52.71.1#53 in 298 ms > > > So this server did return the requested information. You should really > use dig(1) for debugging. It provides more information like whether > the AA bit is set, DNSSEC data, etc. > Hi Kevin, > I am still unsure why you are issuing ANY queries, though. If you want > details, use "host -v". Since you are querying an authoritative > resolver, you are not dependent on what is in cache, but the UDP reply > is over 2K that is truncated and the query is re-issued via TCP. This > means that the behavior is entirely different than a query for just > address information. > Free access to the service ports 53/tcp and 53/udp. Another thing I noticed was that it started to happen after I updated the bind (ports). # pkg info bind99 bind99-9.9.6P1 Name : bind99 Version : 9.9.6P1 Installed on : Fri Dec 12 09:33:33 BRST 2014 Origin : dns/bind99 Architecture : freebsd:10:x86:64 Prefix : /usr/local Categories : net ipv6 dns Licenses : ISCL Maintainer : mat@FreeBSD.org WWW : https://www.isc.org/software/bind Comment : BIND DNS suite with updated DNSSEC and DNS64 Options : DLZ_BDB : off DLZ_FILESYSTEM : off DLZ_LDAP : off DLZ_MYSQL : off DLZ_POSTGRESQL : off DLZ_STUB : off DOCS : on FILTER_AAAA : off FIXED_RRSET : off GOST : off GSSAPI_BASE : off GSSAPI_HEIMDAL : off GSSAPI_MIT : off GSSAPI_NONE : on IDN : on IPV6 : on LARGE_FILE : off LINKS : on NEWSTATS : off PYTHON : off REPLACE_BASE : off RPZ_NSDNAME : off RPZ_NSIP : off RPZ_PATCH : off RRL : on SIGCHASE : off SSL : on THREADS : on > I would do: > # dig @72.52.71.1 <http://72.52.71.1>; freebsd.org <http://freebsd.org>. > # dig @38.103.2.1 <http://38.103.2.1>; freebsd.org <http://freebsd.org>. > # dig @8.8.178.115 <http://8.8.178.115>; freebsd.org <http://freebsd.org>. # dig @72.52.71.1 freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> @72.52.71.1 freebsd.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42090 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;freebsd.org. IN A ;; ANSWER SECTION: freebsd.org. 600 IN A 8.8.178.110 ;; AUTHORITY SECTION: freebsd.org. 600 IN NS ns2.isc-sns.com. freebsd.org. 600 IN NS ns3.isc-sns.info. freebsd.org. 600 IN NS ns1.isc-sns.net. ;; ADDITIONAL SECTION: ns1.isc-sns.net. 3600 IN A 72.52.71.1 ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1 ns2.isc-sns.com. 3600 IN A 38.103.2.1 ns3.isc-sns.info. 3600 IN A 63.243.194.1 ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1 ;; Query time: 182 msec ;; SERVER: 72.52.71.1#53(72.52.71.1) ;; WHEN: Tue Dec 16 10:27:56 BRST 2014 ;; MSG SIZE rcvd: 248 # dig @38.103.2.1 freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> @38.103.2.1 freebsd.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40912 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;freebsd.org. IN A ;; ANSWER SECTION: freebsd.org. 600 IN A 8.8.178.110 ;; AUTHORITY SECTION: freebsd.org. 600 IN NS ns2.isc-sns.com. freebsd.org. 600 IN NS ns1.isc-sns.net. freebsd.org. 600 IN NS ns3.isc-sns.info. ;; ADDITIONAL SECTION: ns1.isc-sns.net. 3600 IN A 72.52.71.1 ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1 ns2.isc-sns.com. 3600 IN A 38.103.2.1 ns3.isc-sns.info. 3600 IN A 63.243.194.1 ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1 ;; Query time: 136 msec ;; SERVER: 38.103.2.1#53(38.103.2.1) ;; WHEN: Tue Dec 16 10:32:03 BRST 2014 ;; MSG SIZE rcvd: 248 # dig @8.8.178.115 freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> @8.8.178.115 freebsd.org. ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached > > Once your resolvers have cached the NS records, they should directly > query the servers shown and not walk the full tree. From the NXDOMAIN > replies, it looks like some system is lying about things. I'm going to > guess that system is incorrectly responding with NXDOMAIN when some > other error is occurring. That system is probably close to you. Try: > # dig freebsd.org <http://freebsd.org>. # dig freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> freebsd.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;freebsd.org. IN A ;; Query time: 2995 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Dec 16 10:30:25 BRST 2014 ;; MSG SIZE rcvd: 40 > > That will do a standard query to what ever recursive resolver you > normally use. It will, hopefully, point at the culprit. It is also > possible that it is a firewall issue, where some security software is > sending a NXDOMAIN server to prevent further queries. This is only a > guess, but there are a limited number of places where the problem > might be generated and experience tells me it is almost certainly > close to your system. I am suspicious that it's some recent filter due to last vulnerability of bind. It could not be? > -- > R. Kevin Oberman, Network Engineer, Retired > E-mail: rkoberman@gmail.com <mailto:rkoberman@gmail.com> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?549029E8.2020508>