From owner-freebsd-net@FreeBSD.ORG Tue Dec 16 12:47:49 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 50021643 for ; Tue, 16 Dec 2014 12:47:49 +0000 (UTC) Received: from mail.bsdinfo.com.br (mail.bsdinfo.com.br [67.212.89.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 13EDA1C3B for ; Tue, 16 Dec 2014 12:47:48 +0000 (UTC) Received: from mail.bsdinfo.com.br (mail.bsdinfo.com.br [127.0.0.1]) by mail.bsdinfo.com.br (Postfix) with ESMTP id E4740139C8 for ; Tue, 16 Dec 2014 10:48:11 -0200 (BRST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsdinfo.com.br; h=content-type:content-type:in-reply-to:references:subject :subject:to:mime-version:user-agent:from:from:date:date :message-id; s=dkim; t=1418734089; x=1419598090; bh=FpTb/f0bYfT5 a1xJgmtKsyPH/d+M0TB/BOwpbqgrxYI=; b=OG/Gu96uX80GCCsBjubyszAywz9H +W99Hy7jD6e+6ZBUum7z+IyLeUnoj1CsbipmPWoQ8enPW0dWK8JvnOfmtyo+zOjD qpGLw94zwx/K90A7rWMqXOmBYaOBcNdnLRRl/saYQJOKV8mA1DXAwbyNZLempIrW VgtmOhvOO2OG/FE= X-Virus-Scanned: amavisd-new at mail.bsdinfo.com.br Received: from mail.bsdinfo.com.br ([127.0.0.1]) by mail.bsdinfo.com.br (mail.bsdinfo.com.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qffR2CfPg4go for ; Tue, 16 Dec 2014 10:48:09 -0200 (BRST) Received: from [192.168.88.15] (unknown [186.193.48.8]) by mail.bsdinfo.com.br (Postfix) with ESMTPSA id 953BC139C4 for ; Tue, 16 Dec 2014 10:48:07 -0200 (BRST) Message-ID: <549029E8.2020508@bsdinfo.com.br> Date: Tue, 16 Dec 2014 10:47:36 -0200 From: Marcelo Gondim User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: "freebsd-net@freebsd.org" Subject: Re: DNS resolution problem References: <548C3072.10303@bsdinfo.com.br> <548F2250.3010507@bsdinfo.com.br> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 12:47:49 -0000 On 16/12/2014 02:25, Kevin Oberman wrote: > On Mon, Dec 15, 2014 at 10:02 AM, Marcelo Gondim > > wrote: > > Hi Kevin, > > On 13/12/2014 23:44, Kevin Oberman wrote: > > On Sat, Dec 13, 2014 at 4:26 AM, Marcelo Gondim > > > wrote: > > Dear, > > I'm having trouble resolving domain name freebsd.org > . The portsnap server > works correctly but the pkg audit -F does not work and can > not even access > the site according to the following tests: > > # host ec2-sa-east-1.portsnap.freebsd.org > > ec2-sa-east-1.portsnap.freebsd.org > has address > 177.71.188.240 > > # host vuxml.freebsd.org > Host vuxml.freebsd.org not > found: 3(NXDOMAIN) > > # host -a freebsd.org > Trying "freebsd.org " > Trying "freebsd.org.intnet.com.br > " > Host freebsd.org not found: 3(NXDOMAIN) > Received 86 bytes from ::1#53 in 0 ms > > # host www.freebsd.org > ;; connection timed out; no servers could be reached > > Only the first address I'm having name resolution > (ec2-sa-east-1.portsnap. > freebsd.org ). > > My block IP: 186.193.48.0/20 > > One could check for any restrictions on our IP block? > > I think a bit of DNS debugging is in order. > > I could resolve all of the nodes you listed, but there are > some potential > issues I see. First, when looking up hostname with host(1), > always > terminate the name: > > host -a freebsd.org . > > Trying "freebsd.org " > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24171 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;freebsd.org . IN TYPE255 > > ;; ANSWER SECTION: > freebsd.org . 534 IN AAAA > 2001:1900:2254:206a::50:0 > freebsd.org . 534 IN MX 10 > mx1.freebsd.org . > freebsd.org . 534 IN A > 8.8.178.110 > > But "ANY" queries are fuzzy things at best as the first > resolver you hit > will just return whatever is cached and not try getting an > authoritative > response. > > www.freebsd.org and vuxml.freebsd.org > are CNAME entries pointing to the > same place, 8.8.178.110. This is in FreeBSD's own address > space from Yahoo > nd is probably in the mail FreeBSD cluster. I was a bit > surprised to find > that is is an Amazon AWS address, so the portsnap files are > actually coming > from a totally different place. > > DNS is provided by ISC-SNS. 72.52.71.1, 38.103.2.1 and > 63.243.194.1. Try > pinging these. Since BIND, the second oldest and most popular > DNS server is > written and supported by ISA, I would think that it is well > run. Try > pinging and tracing to these addresses. All of them are in > very dispersed > locations on different provider backbones. (Cogent, Hurricane > Electric, and > ISC, itself. You might try directing queries to each system to > see if one > fails when other succeed. Use "dig @servr-addr host". > > Other tests: > > # ping -c 5 NS1.ISC-SNS.NET > PING ns1.isc-sns.net (72.52.71.1): 56 > data bytes > 64 bytes from 72.52.71.1 : icmp_seq=0 ttl=56 > time=144.327 ms > 64 bytes from 72.52.71.1 : icmp_seq=1 ttl=56 > time=145.445 ms > 64 bytes from 72.52.71.1 : icmp_seq=2 ttl=56 > time=144.999 ms > 64 bytes from 72.52.71.1 : icmp_seq=3 ttl=56 > time=146.775 ms > 64 bytes from 72.52.71.1 : icmp_seq=4 ttl=56 > time=145.207 ms > > --- ns1.isc-sns.net ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 144.327/145.351/146.775/0.804 ms > > # ping -c 5 NS2.ISC-SNS.COM > PING ns2.isc-sns.com (38.103.2.1): 56 > data bytes > 64 bytes from 38.103.2.1 : icmp_seq=0 ttl=54 > time=133.839 ms > 64 bytes from 38.103.2.1 : icmp_seq=1 ttl=54 > time=133.831 ms > 64 bytes from 38.103.2.1 : icmp_seq=2 ttl=54 > time=133.972 ms > 64 bytes from 38.103.2.1 : icmp_seq=3 ttl=54 > time=133.957 ms > 64 bytes from 38.103.2.1 : icmp_seq=4 ttl=54 > time=133.851 ms > > --- ns2.isc-sns.com ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 133.831/133.890/133.972/0.061 ms > > # ping -c 5 NS3.ISC-SNS.INFO > PING ns3.isc-sns.info (63.243.194.1): 56 > data bytes > 64 bytes from 63.243.194.1 : icmp_seq=0 > ttl=59 time=185.755 ms > 64 bytes from 63.243.194.1 : icmp_seq=1 > ttl=59 time=185.790 ms > 64 bytes from 63.243.194.1 : icmp_seq=2 > ttl=59 time=185.866 ms > 64 bytes from 63.243.194.1 : icmp_seq=3 > ttl=59 time=185.931 ms > 64 bytes from 63.243.194.1 : icmp_seq=4 > ttl=59 time=185.988 ms > > --- ns3.isc-sns.info ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 185.755/185.866/185.988/0.086 ms > > # host -a freebsd.org 72.52.71.1 > Trying "freebsd.org " > ;; Truncated, retrying in TCP mode. > Using domain server: > Name: 72.52.71.1 > Address: 72.52.71.1#53 > Aliases: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15306 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 7 > > ;; QUESTION SECTION: > ;freebsd.org . IN TYPE255 > > ;; ANSWER SECTION: > freebsd.org . 3600 IN SOA > ns0.freebsd.org . hostmaster.freebsd.org > . 2014121517 3600 > 900 604800 600 > freebsd.org . 3600 IN RRSIG > SOA 8 2 3600 20141229134836 20141215162412 22689 freebsd.org > . > Li3FZ22mk+j4FbIRp7rQD/QS/m3UCFvMDqdUfdLBOPEpOiCTLue+5xFhtr6mLwJ6mYzbsATM3rHN/O+B1VF3VzytnOOYh0QvoqpjxwGcUWNAkAlOCFDrqaS5wp9PfWOBJ+1q+xbkgC/iwBmasqb06G1WpcvpRq9kYoZUum8RxAGuTQIYNhoDxUjU5r6yiTvWy3sCmpu02F846BcJ6+LBKhsd8OuOJYplYhjFOfszl8uQmUtyCxCDm9udsWHbNyVMPU/DeVPKSlBS5md1l07GcG2QDepH4ChxQZnejmhaXgi/6+680v7Ufgh51xb5QiU2Xg7ATwplvor2VwJphSwMAw== > freebsd.org . 3600 IN RRSIG > DNSKEY 8 2 3600 20141228141417 20141214022412 32659 freebsd.org > . > Cf1nX8IQROLxXzL9WTDJVRdHuGN344DnIzKrshoG9sbYkP/DTDMMt9mpDCUUz0HK0FgxhHw45oepm6+KMbydzZDWhK2+G/LPgyK5nzsxnaJc9EgHpg6OKCQw7HHDirfe8lr0es0Ab4mPicqMKg31r7272SEKJ6HGoezzW5wtokTJpegAGQhW+b8ZvpBqRcj3jYIU9HvBOJtn/ZNrXMg2mUP/tbkxDcBy7ssMNmy0s0GKu6Daqq1VSK0BKvEIPc/sUC+mKkUo259FkI2Lnfml3vsw+aV0behgp/VpoxRfotcNjFNJGhYGF0B0iwTQIdBnfMWlNXsQBnoQ8b7W+OLiRw== > freebsd.org . 0 IN RRSIG > NSEC3PARAM 8 2 0 20141219185954 20141206012400 22689 freebsd.org > . > ViAARy2wfDAUXV7AEzQFbge0hCJSU1/vusbRoWkaM1EVkOQbaCiSQ1PDanZmR4yQncdo2M3d4gJtIHgvZ5xzeo0/2AhlSVw/GAtWjJkqI/8rJZ2ZPtoXy6SJBcNAcGKTx74EjFN/TIxDIEXKNss2BNz3y57olnknvqgVpNjGu8jzc59aDww4+cgh9v7zuMG1YAncCnHwTIaxtsXN/K0jjKx9CtkVwJLJCRd4bthKyrPkBNMZ3cDOX27MlQFC7461WsPkNxsxFYfUWO4g8f41UUYzPX2c59tKm+qJB7s56KLihZIuBjTZnROyTkvFFcdG3ii9dzFqbEN8PMwJIS7bzw== > freebsd.org . 600 IN RRSIG > NS 8 2 600 20141221172508 20141207182403 22689 freebsd.org > . > ny0XoD9xYbSX5nHbDnl5iCIofSBlkwB8dPjeUcmKfyylrpiPVDkXfl+xfacqJj7DRvf5gF8fLhe0lwTu3cLeVXGf9L3UfD5N5sd61SxLLXy8gDHtjCQWS5/VYE4rIn6/leoqRD5YVPGJ1OWRBHSnVIjdib/R7XLLz6v8CMT4l+P42tDf7z56hjc3BNplcD/KjFfrEmoBlRIwvs9XaR3i+Qvl/0uKnGgeaXVvRMgCthC4J4oZKsBt0hpAhwy3ocOOGhp1uLV+/sBUd4ZMi0HG0G+OZbelVt01LE/7Kp5+4TA7i5Ubla8/kEcx7iKjqimnTb+0GF7+WrZbVe3MrTi9Jg== > freebsd.org . 600 IN RRSIG > TXT 8 2 600 20141221200324 20141207122402 22689 freebsd.org > . > uf81IQ/nUDeVhLtUw/g4ILoW3Pq1rl9ub8p4MBkuGxhpmZSpm1phmJ47xuDkEg137SwqdP/mIx/EIRZ1Oah5Hx1e0278qJSX1M9DMwscCjXl3uPTqgYfL/M9k15U3OJ3i9yI4Stsp6ORG3Rj4bYYYz3mzlSNV64ZOnkW9JfPu/GjEq21EXgF9SEABJr21dwEUeCpmng15MHpmpTIJIwkgdH4DC7Dh/glQ6yMDEcf6I4x63hmj4CWpChs18W94esshEfZVTeiKV7xFPvgrnsbrO660Jvua7XR3R4mqr9sqv2mXKJICNobBNx/IyAxw9vw5dE7ohFptPEH7DUDN/h4jw== > freebsd.org . 600 IN RRSIG > MX 8 2 600 20141222062628 20141208062403 22689 freebsd.org > . > exRPLUyRmbRbxQEYu989+agnNMIjXl7PsfPGW8xaoq2Dv0/GbOGnAPlSALg3MBPz8R+pL3MWiaexyi/1qxUF6n0tItn7hQhUla4jri7rMFzMUcvePPr6t5sF/MWkIC+15O5QlIUx/Bi0zUnUFPSXCKH3MWr0oqGNzzc3jSqsUlqBhQmZq3KCrSE62Tp3VDthFhZUSY29EAmmwnAlTxQR9ZX3eVEM5oJ5UrhFkBcMhv4jVtSN+OncYx4PQWHNk4DR9vY3FCVl48XqJ9ivln9vHOOCqfzl5oaSXeE6rnbHwEKpOZX65l24nPuNtKVPajYEAroK4xMqCdkPW4Ov0tw3zA== > freebsd.org . 600 IN RRSIG > A 8 2 600 20141221151124 20141207232403 22689 freebsd.org > . > VPOX9ep1tYDF7dFaY37zXAMHwd+ySWAeSAMa45btmNzCD/F1pkUi9wH57LPE3jtqeHF4coKfZCvzBED5KWfyYMDZsWOaTNA2Hxh4h+WRr4qK1FxeilvIDLYs1/ynGCcaAfTM8T7OwAueWx/x78bshaw8mkI8Pp38SpkHa0sL5T4/L9NP8NOUOP5I6zv2xFtqkcQBSWZLFElGHn3JBo3ZyGa9lUsjnNfNWwNCLcDbXG7aQCW88v+mxbnIq2lHogqOsYXQHnatpK7qV27c2XNB9ZuGmWq6zLFUFOXH1pDLf0ftIg70Evy+88RomIFLo9e9qNYI9WJk7Z51gL7ygA/YSg== > freebsd.org . 600 IN RRSIG > AAAA 8 2 600 20141222031959 20141208092403 22689 freebsd.org > . > U88G56Mlmb6l4xv+G+IdvLAQQ8g5quIvKVjBSTcC5QdO52C/kUGcoo2rE+phXqXK7j7vgcfEuSI2qP3FDCG2K1VUn19+oCHA/LVzx4sNGsVlqXDfieE7c48vVYeukalh7cCXQ53dGo/4Tpps3i/4IUtw7Wi/NjykJoi8PbzgqR7mrkcKD83l18XR0JNILvj1EQwuTZYIICcd+yfs2WU5IjXIv5ik3hVkxQA5GkJse+EfAvBuJRPkZ8yknRM93tRw95gBc6ntB9+3pqZ9QNPKRUl5i7HoBbkSlAr3iGJiBAOXAX4V3PGNG+tXHqbEVPn1DzsXojJSFUJGaXHA9VFSpw== > freebsd.org . 3600 IN > DNSKEY 256 3 8 > AwEAAc48eD98O70LmwN5RQ5i1vaP9BURkyvOiVNbztyVOCbPsZMIxDVZULFGLeEKmUR9UbutNoizdVi+XDGXgbfvQTZczkCUJNvBCxVglssyxnMMDjxf4p6TfuTTAW7EK6BDGVGkU3yBbfFYRYDeRep3g2CHH5/juU6MGMDElYYAhULICw3QRJjzMJFezvV0D1Mql53otXJ2J0BVhNBbF/1HSYRhVrFCSnpo1OORbNEuCudBr5WDBsZ3TdFehf74fYQP8XZEKqwirUvGcrlvDCPncPFtoLj3BWNvecsAwBrRbVzwTMVZHV95SXSq5VzjiXsf4U/UMQ5xOE5t4370msqPScM= > freebsd.org . 3600 IN > DNSKEY 257 3 8 > AwEAAd1zS5J5X1kQqoufYTOGrPaUnlgBxllrFE1rGLJ3qDWEEETjszjal7IeJMmn/VhC6a2txXeob5is1/8Z6KWxpAhqIiw+l9JmD9sD/dOI9Yyk/AIyhSPguqV9+zBkfrp9I0BUuwxO/Rs+VgnqwQquyDGWRFQTtckPkptHKMTt44F8VyGcg+WVHOAXAsdGAC2SK1MVbSnMnRvZjYRHS3qc8at/h7soSib9TGNG9i+UD2mZyefcUUxsSll7TvUURA1dW13UP3U4/JlUM0qwA8Lk7pho/Or61Sci+yiqKijAdHu+dY3yGESkZ2rm4PBYYbm44ftefYXX5Hd5w20MXe5Lym8= > freebsd.org . 3600 IN > DNSKEY 256 3 8 > AwEAAdCGUpcdxSMYspciWP5aJa3f0Lr5oW1BkSnSGe4TO4+HVy8f+40q7uHtpaI7MMl5+2HAtjxgaZIVGBM3zqiCvW3KXjv+TRKLIBJTxStYu9ped0JWCqAXfYIhD5Tw2uvNKU0CLTJP9PQuEz8K5Yd7Zsy6N49/zAbovyhL5Ciax+BPcA8FTZ6io+m1Gw43+i2UOAs5yAeWsjaYsCwV4Ye7FdPwuQ5z/MMszr9XwBzFJdlQyJFpyAPNcdAiplnSWAg7oo8t221+sRsY/ZMOgi4WeIZAPM71Fq0LEi+GUxgjUdYs7MtehsmyRgZjum3AJyJfaf2gZRQH5Dw0aIR/G1lUwEc= > freebsd.org . 0 IN > NSEC3PARAM 1 0 100 10238ec3108d6756 > freebsd.org . 600 IN NS > ns3.isc-sns.info . > freebsd.org . 600 IN NS > ns2.isc-sns.com . > freebsd.org . 600 IN NS > ns1.isc-sns.net . > freebsd.org . 600 IN TXT > "v=spf1 redirect=_spf.freebsd.org " > freebsd.org . 600 IN MX > 10 mx1.freebsd.org . > freebsd.org . 600 IN A > 8.8.178.110 > freebsd.org . 600 IN AAAA > 2001:1900:2254:206a::50:0 > > ;; ADDITIONAL SECTION: > ns1.isc-sns.net . 3600 IN A > 72.52.71.1 > ns1.isc-sns.net . 3600 IN > AAAA 2001:470:1a::1 > ns2.isc-sns.com . 3600 IN A > 38.103.2.1 > ns3.isc-sns.info . 3600 IN > A 63.243.194.1 > ns3.isc-sns.info . 3600 IN > AAAA 2001:5a0:10::1 > mx1.freebsd.org . 600 IN A > 8.8.178.115 > mx1.freebsd.org . 600 IN > AAAA 2001:1900:2254:206a::19:1 > > Received 3670 bytes from 72.52.71.1#53 in 298 ms > > > So this server did return the requested information. You should really > use dig(1) for debugging. It provides more information like whether > the AA bit is set, DNSSEC data, etc. > Hi Kevin, > I am still unsure why you are issuing ANY queries, though. If you want > details, use "host -v". Since you are querying an authoritative > resolver, you are not dependent on what is in cache, but the UDP reply > is over 2K that is truncated and the query is re-issued via TCP. This > means that the behavior is entirely different than a query for just > address information. > Free access to the service ports 53/tcp and 53/udp. Another thing I noticed was that it started to happen after I updated the bind (ports). # pkg info bind99 bind99-9.9.6P1 Name : bind99 Version : 9.9.6P1 Installed on : Fri Dec 12 09:33:33 BRST 2014 Origin : dns/bind99 Architecture : freebsd:10:x86:64 Prefix : /usr/local Categories : net ipv6 dns Licenses : ISCL Maintainer : mat@FreeBSD.org WWW : https://www.isc.org/software/bind Comment : BIND DNS suite with updated DNSSEC and DNS64 Options : DLZ_BDB : off DLZ_FILESYSTEM : off DLZ_LDAP : off DLZ_MYSQL : off DLZ_POSTGRESQL : off DLZ_STUB : off DOCS : on FILTER_AAAA : off FIXED_RRSET : off GOST : off GSSAPI_BASE : off GSSAPI_HEIMDAL : off GSSAPI_MIT : off GSSAPI_NONE : on IDN : on IPV6 : on LARGE_FILE : off LINKS : on NEWSTATS : off PYTHON : off REPLACE_BASE : off RPZ_NSDNAME : off RPZ_NSIP : off RPZ_PATCH : off RRL : on SIGCHASE : off SSL : on THREADS : on > I would do: > # dig @72.52.71.1 freebsd.org . > # dig @38.103.2.1 freebsd.org . > # dig @8.8.178.115 freebsd.org . # dig @72.52.71.1 freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> @72.52.71.1 freebsd.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42090 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;freebsd.org. IN A ;; ANSWER SECTION: freebsd.org. 600 IN A 8.8.178.110 ;; AUTHORITY SECTION: freebsd.org. 600 IN NS ns2.isc-sns.com. freebsd.org. 600 IN NS ns3.isc-sns.info. freebsd.org. 600 IN NS ns1.isc-sns.net. ;; ADDITIONAL SECTION: ns1.isc-sns.net. 3600 IN A 72.52.71.1 ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1 ns2.isc-sns.com. 3600 IN A 38.103.2.1 ns3.isc-sns.info. 3600 IN A 63.243.194.1 ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1 ;; Query time: 182 msec ;; SERVER: 72.52.71.1#53(72.52.71.1) ;; WHEN: Tue Dec 16 10:27:56 BRST 2014 ;; MSG SIZE rcvd: 248 # dig @38.103.2.1 freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> @38.103.2.1 freebsd.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40912 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;freebsd.org. IN A ;; ANSWER SECTION: freebsd.org. 600 IN A 8.8.178.110 ;; AUTHORITY SECTION: freebsd.org. 600 IN NS ns2.isc-sns.com. freebsd.org. 600 IN NS ns1.isc-sns.net. freebsd.org. 600 IN NS ns3.isc-sns.info. ;; ADDITIONAL SECTION: ns1.isc-sns.net. 3600 IN A 72.52.71.1 ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1 ns2.isc-sns.com. 3600 IN A 38.103.2.1 ns3.isc-sns.info. 3600 IN A 63.243.194.1 ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1 ;; Query time: 136 msec ;; SERVER: 38.103.2.1#53(38.103.2.1) ;; WHEN: Tue Dec 16 10:32:03 BRST 2014 ;; MSG SIZE rcvd: 248 # dig @8.8.178.115 freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> @8.8.178.115 freebsd.org. ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached > > Once your resolvers have cached the NS records, they should directly > query the servers shown and not walk the full tree. From the NXDOMAIN > replies, it looks like some system is lying about things. I'm going to > guess that system is incorrectly responding with NXDOMAIN when some > other error is occurring. That system is probably close to you. Try: > # dig freebsd.org . # dig freebsd.org. ; <<>> DiG 9.9.6-P1 <<>> freebsd.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;freebsd.org. IN A ;; Query time: 2995 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Dec 16 10:30:25 BRST 2014 ;; MSG SIZE rcvd: 40 > > That will do a standard query to what ever recursive resolver you > normally use. It will, hopefully, point at the culprit. It is also > possible that it is a firewall issue, where some security software is > sending a NXDOMAIN server to prevent further queries. This is only a > guess, but there are a limited number of places where the problem > might be generated and experience tells me it is almost certainly > close to your system. I am suspicious that it's some recent filter due to last vulnerability of bind. It could not be? > -- > R. Kevin Oberman, Network Engineer, Retired > E-mail: rkoberman@gmail.com >