Date: Thu, 25 Dec 2014 08:30:08 -0800 (PST) From: Casey Scott <casey@scottmail.org> To: g lister <g.lister@nodeunit.ch> Cc: bferrell@baywinds.org, freebsd-questions@freebsd.org Subject: Re: DNS resolution question Message-ID: <1354258214.74.1419525008685.JavaMail.zimbra@phantombsd.org> In-Reply-To: <223495012.51.1419522199210.JavaMail.zimbra@phantombsd.org> References: <642699791.129.1419432044320.JavaMail.zimbra@phantombsd.org> <lpuiu8.nh3mhy.1bqonni-qmf@nodeunit.com> <2077504714.236.1419448060216.JavaMail.zimbra@phantombsd.org> <j3blqr.nh3qe7.1bqonni-qmf@nodeunit.com> <913059271.257.1419455366358.JavaMail.zimbra@phantombsd.org> <nlxpwo.nh3wzp.1bqonni-qmf@nodeunit.com> <328887443.42.1419519807044.JavaMail.zimbra@phantombsd.org> <223495012.51.1419522199210.JavaMail.zimbra@phantombsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This turned out to be a firewall problem. The rule permitting DNS traffic wasn't stateful. Adding a --keep-state solved the problem (allow udp from any to any dst-port 53 keep-state). Thanks for the help! Casey ----- On Dec 25, 2014, at 7:43 AM, Casey Scott casey@scottmail.org wrote: > Another piece of data: > > When the server in question is pointed to another server for DNS resolution > (/etc/resolv.conf), the bind-utils (host/nslookup) can successfully lookup the > same records. That machine is running Centos 6.6. Its named -V > > BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 built with > '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' > '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' > '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' > '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' > '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' > '--localstatedir=/var' '--enable-threads' '--enable-ipv6' > '--enable-filter-aaaa' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--with-dlopen=yes' '--with-dlz-ldap=yes' > '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' > '--with-gssapi=yes' '--disable-isc-spnego' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' > 'CFLAGS= -O2 -g > -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' > using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 > using libxml2 version: 2.7.6 > > Noting that on the Linux server, IPv6 is enabled (though the server doesn't use > IPv6), I recompiled BIND with IPv6 enabled. Same result though. I can not > resolve vuxml.freebsd.org with it. > > > > ----- On Dec 25, 2014, at 7:03 AM, Casey Scott casey@scottmail.org wrote: > >> named -V output includes '--disable-ipv6'. Isn't that explicitly disabling IPv6? >> >> Thanks. >> >> ----- On Dec 24, 2014, at 1:57 PM, g lister g.lister@nodeunit.ch wrote: >> >>> On Wed Dec 24 22:09:26 2014 GMT+0100, Casey Scott wrote: >>>> Ah.. well in that case, IPv6 is already disabled in named. >>> >>> Is it disabled explicitly? I mean by a directive. I had also disabled it ... By >>> not enabling it but I had to disable it explicitly and then some queries coming >>> from my internal network and my smtp started working. Problem is you need to >>> have functioning IPv6 network setup to make use of it. >>> Sorry for being short but writing on a phone is a pain. The syntax should be in >>> a man page or the net. >>> >>> HTH, >>> George >>> >>>> >>>> >>>> ----- On Dec 24, 2014, at 11:34 AM, g lister g.lister@nodeunit.ch wrote: >>>> >>>> > On Wed Dec 24 20:07:40 2014 GMT+0100, Casey Scott wrote: >>>> >> I can't disable IPv4 because my environment uses it. Thanks though. >>>> > >>>> > Sorry I meant IPv6, AAAA are v6 querries I think. >>>> > >>>> >> >>>> >> Casey >>>> >> >>>> >> ----- On Dec 24, 2014, at 10:10 AM, g lister g.lister@nodeunit.ch wrote: >>>> >> >>>> >> > On Wed Dec 24 18:57:42 2014 GMT+0100, Casey Scott wrote: >>>> >> >> That's what's odd. The tcpdump shows a seemingly valid response comeback, >>>> >> >> however dig/host always fail with a timeout. It seems to me that named isn't >>>> >> >> passing along the response for some reason. >>>> >> >> >>>> >> >> Thanks. >>>> >> > >>>> >> > >>>> >> > Have you tried disabling IPv4 and checking whether it works? >>>> >> > I had a similiar issue with bind and without IPv4 it was OK. >>>> >> > >>>> >> > HTH, >>>> >> > George >>>> >> > >>>> >> >> >>>> >> >> ----- On Dec 24, 2014, at 8:31 AM, Bruce Ferrell bferrell@baywinds.org wrote: >>>> >> >> >>>> >> >> > On 12/24/2014 06:40 AM, Casey Scott wrote: >>>> >> >> >> This issue surfaced when I noticed this entry in my servers daily security mail: >>>> >> >> >> >>>> >> >> >> Checking for packages with security vulnerabilities: >>>> >> >> >> pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record >>>> >> >> >> pkg: cannot fetch vulnxml file >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> I discovered that the server is not able to resolve vuxml.freebsd.org, or even >>>> >> >> >> www.freebsd.org. I'm sure the problem isn't specific to the freebsd.org zone, >>>> >> >> >> but that's where I focused my effort. I found that recursive queries failed, >>>> >> >> >> however if I directly queried a name server authoritative for freebsd.org (i.e. >>>> >> >> >> ns1.isc-sns.net.), the query successfully returned the CNAME. >>>> >> >> >> >>>> >> >> >> OS Details: >>>> >> >> >> FreeBSD mustang 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r271930: Sun Sep 21 19:01:57 >>>> >> >> >> PDT 2014 root@mustang:/usr/src/sys/amd64/compile/Server amd64 >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> DNS lookup attempt >>>> >> >> >> ******************************************************************************* >>>> >> >> >> $ dig vuxml.freebsd.org +trace >>>> >> >> >> ; <<>> DiG 9.9.6-P1 <<>> vuxml.freebsd.org +trace >>>> >> >> >> ;; global options: +cmd >>>> >> >> >> . 517326 IN NS e.root-servers.net. >>>> >> >> >> . 517326 IN NS m.root-servers.net. >>>> >> >> >> . 517326 IN NS c.root-servers.net. >>>> >> >> >> . 517326 IN NS d.root-servers.net. >>>> >> >> >> . 517326 IN NS b.root-servers.net. >>>> >> >> >> . 517326 IN NS f.root-servers.net. >>>> >> >> >> . 517326 IN NS g.root-servers.net. >>>> >> >> >> . 517326 IN NS i.root-servers.net. >>>> >> >> >> . 517326 IN NS k.root-servers.net. >>>> >> >> >> . 517326 IN NS l.root-servers.net. >>>> >> >> >> . 517326 IN NS a.root-servers.net. >>>> >> >> >> . 517326 IN NS j.root-servers.net. >>>> >> >> >> . 517326 IN NS h.root-servers.net. >>>> >> >> >> . 517326 IN RRSIG NS 8 0 518400 20141231050000 >>>> >> >> >> 20141224040000 22603 . OT3Uv0Krt43V999nh6ky8sK7Uob+Qb+M82BOS0uPTFxq1NL6m2XX7ri3 >>>> >> >> >> n/na4QyB/+iGTAlonAMVGyXEO1llrJt6iw7yucBriqy/xuGCwSY5Sllc >>>> >> >> >> Y3G7RdzerNgmAhfD2wiCwJPnVuGaD3O5318r2TLrsXdoQwGk7FNWiE1X GBE= >>>> >> >> >> ;; Received 913 bytes from 192.168.1.1#53(192.168.1.1) in 0 ms >>>> >> >> >> >>>> >> >> >> org. 172800 IN NS b2.org.afilias-nst.org. >>>> >> >> >> org. 172800 IN NS a2.org.afilias-nst.info. >>>> >> >> >> org. 172800 IN NS d0.org.afilias-nst.org. >>>> >> >> >> org. 172800 IN NS b0.org.afilias-nst.org. >>>> >> >> >> org. 172800 IN NS a0.org.afilias-nst.info. >>>> >> >> >> org. 172800 IN NS c0.org.afilias-nst.info. >>>> >> >> >> org. 86400 IN DS 21366 7 2 >>>> >> >> >> 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA >>>> >> >> >> org. 86400 IN DS 21366 7 1 >>>> >> >> >> E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2 >>>> >> >> >> org. 86400 IN RRSIG DS 8 1 86400 20141231050000 >>>> >> >> >> 20141224040000 22603 . IjE3Yi3yF8a12dOlLt13Grqs7c2tOXwgyyghAkeqy36N14VrAGxsQMxU >>>> >> >> >> RlOE5rYwzeg1cLi55wRxGShNBz0/KU229xWrRNluzLUkbo+eW98E6Fcw >>>> >> >> >> nT/DHrIy9J/3zjf6NRC+zUUcQTOJGWAkPF40TqaJGwI0Ag6/p6yxcBJ5 MDM= >>>> >> >> >> ;; Received 691 bytes from 192.112.36.4#53(g.root-servers.net) in 73 ms >>>> >> >> >> >>>> >> >> >> freebsd.org. 86400 IN NS ns2.isc-sns.com. >>>> >> >> >> freebsd.org. 86400 IN NS ns1.isc-sns.net. >>>> >> >> >> freebsd.org. 86400 IN NS ns3.isc-sns.info. >>>> >> >> >> freebsd.org. 86400 IN DS 32659 8 2 >>>> >> >> >> AF3B32E46DF2FC32C0110C7D6B808EE73E0411501AFAF9022D3DCD0A FA5B3ACD >>>> >> >> >> freebsd.org. 86400 IN RRSIG DS 7 2 86400 20150109163356 >>>> >> >> >> 20141219153356 11112 org. >>>> >> >> >> puF07NdtGtOY0uI3d789itchA2dEXz0URwCsckm7vjWoNIhdsMuG6jFc >>>> >> >> >> StzdAkvFDiDO/2C3x21spRrb7Y3ioDQpNJL2zJUn2S0L/8ueDbF9wJAT >>>> >> >> >> pEfAdMyUwlCQkVM45Ptf98z7iLTWWe2xQBhZZ1OGaPRW+VwKE0rCaz2d 1rg= >>>> >> >> >> ;; Received 345 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 134 ms >>>> >> >> >> >>>> >> >> >> ;; connection timed out; no servers could be reached >>>> >> >> >> ******************************************************************************* >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> tcpdump of the query above >>>> >> >> >> ******************************************************************************* >>>> >> >> >> listening on fxp0, link-type EN10MB (Ethernet), capture size 65535 bytes >>>> >> >> >> 05:59:36.016640 IP x.x.x.x.54272 > 38.103.2.1.53: 18640 [1au] A? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:36.127776 IP 38.103.2.1.53 > x.x.x.x.54272: 18640*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) >>>> >> >> >> 05:59:38.021067 IP x.x.x.x.52431 > 38.103.2.1.53: 13086 [1au] AAAA? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:38.051272 IP x.x.x.x.51125 > 63.243.194.1.53: 16824 [1au] A? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:38.081819 IP 63.243.194.1.53 > x.x.x.x.51125: 16824*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) >>>> >> >> >> 05:59:38.132821 IP 38.103.2.1.53 > x.x.x.x.52431: 13086*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) >>>> >> >> >> 05:59:40.056275 IP x.x.x.x.62003 > 63.243.194.1.53: 41954 [1au] AAAA? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:40.086597 IP 63.243.194.1.53 > x.x.x.x.62003: 41954*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) >>>> >> >> >> 05:59:40.267272 IP x.x.x.x.61416 > 72.52.71.1.53: 32843 [1au] A? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:40.297103 IP 72.52.71.1.53 > x.x.x.x.61416: 32843*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) >>>> >> >> >> 05:59:42.272273 IP x.x.x.x.54674 > 72.52.71.1.53: 2755 [1au] AAAA? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:42.302289 IP 72.52.71.1.53 > x.x.x.x.54674: 2755*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) >>>> >> >> >> 05:59:42.487277 IP x.x.x.x.54239 > 38.103.2.1.53: 38272 [1au] A? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:42.598927 IP 38.103.2.1.53 > x.x.x.x.54239: 38272*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) >>>> >> >> >> 05:59:44.492281 IP x.x.x.x.59505 > 38.103.2.1.53: 22873 [1au] AAAA? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:44.604217 IP 38.103.2.1.53 > x.x.x.x.59505: 22873*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) >>>> >> >> >> 05:59:44.722266 IP x.x.x.x.61141 > 63.243.194.1.53: 50828 [1au] A? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:44.753517 IP 63.243.194.1.53 > x.x.x.x.61141: 50828*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, A 8.8.178.110, RRSIG (1464) >>>> >> >> >> 05:59:46.727324 IP x.x.x.x.49803 > 63.243.194.1.53: 51222 [1au] AAAA? >>>> >> >> >> vuxml.freebsd.org. (46) >>>> >> >> >> 05:59:46.757577 IP 63.243.194.1.53 > x.x.x.x.49803: 51222*- 4/4/11 CNAME >>>> >> >> >> wfe0.ysv.freebsd.org., RRSIG, AAAA, RRSIG (1464) >>>> >> >> >> 05:59:57.395692 IP x.x.x.x.60149 > 165.254.1.208.53: 31873 [1au] A? >>>> >> >> >> e6238.a.akamaiedge.net. (51) >>>> >> >> >> 05:59:57.404644 IP 165.254.1.208.53 > x.x.x.x.60149: 31873*- 1/0/0 A 96.7.67.53 >>>> >> >> >> (56) >>>> >> >> >> ******************************************************************************* >>>> >> >> >> >>>> >> >> >> BIND build options >>>> >> >> >> ******************************************************************************* >>>> >> >> >> # named -V >>>> >> >> >> BIND 9.9.6-P1 (Extended Support Version) <id:3612d8fb> built by make with >>>> >> >> >> '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' >>>> >> >> >> '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' >>>> >> >> >> '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-gost' >>>> >> >> >> '--without-idn' '--disable-ipv6' '--disable-largefile' '--disable-newstats' >>>> >> >> >> '--without-python' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-rrl' >>>> >> >> >> '--with-openssl=/usr/local' '--without-gssapi' '--enable-threads' >>>> >> >> >> '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' >>>> >> >> >> '--infodir=/usr/share/info/' '--build=amd64-portbld-freebsd9.3' >>>> >> >> >> 'build_alias=amd64-portbld-freebsd9.3' 'CC=cc' 'CFLAGS=-O2 -pipe -march=native >>>> >> >> >> -fstack-protector -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath,/usr/local/lib >>>> >> >> >> -fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CPP=cpp' >>>> >> >> >> compiled by GCC 4.2.1 20070831 patched [FreeBSD] >>>> >> >> >> using OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014 >>>> >> >> >> using libxml2 version: 2.9.2 >>>> >> >> >> ******************************************************************************* >>>> >> >> >> >>>> >> >> >> Any idea what's going on here? >>>> >> >> >> >>>> >> >> >> Thanks, >>>> >> >> >> Casey >>>> >> >> >> >>>> >> >> >> _______________________________________________ >>>> >> >> >> freebsd-questions@freebsd.org mailing list >>>> >> >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> >> >> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>>> >> >> >> >>>> >> >> > Casey, >>>> >> >> > >>>> >> >> > think you're getting a correct response. >>>> >> >> > dig @192.0.2.131 vuxml.freebsd.org >>>> >> >> > >>>> >> >> > ; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> @192.0.2.131 vuxml.freebsd.org >>>> >> >> > ; (1 server found) >>>> >> >> > ;; global options: +cmd >>>> >> >> > ;; Got answer: >>>> >> >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54956 >>>> >> >> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6 >>>> >> >> > >>>> >> >> > ;; OPT PSEUDOSECTION: >>>> >> >> > ; EDNS: version: 0, flags:; udp: 4096 >>>> >> >> > ;; QUESTION SECTION: >>>> >> >> > ;vuxml.freebsd.org. IN A >>>> >> >> > >>>> >> >> > ;; ANSWER SECTION: >>>> >> >> > vuxml.freebsd.org. 497 IN CNAME wfe0.ysv.freebsd.org. >>>> >> >> > wfe0.ysv.freebsd.org. 497 IN A 8.8.178.110 >>>> >> >> > >>>> >> >> > ;; AUTHORITY SECTION: >>>> >> >> > freebsd.org. 497 IN NS ns3.isc-sns.info. >>>> >> >> > freebsd.org. 497 IN NS ns2.isc-sns.com. >>>> >> >> > freebsd.org. 497 IN NS ns1.isc-sns.net. >>>> >> >> > >>>> >> >> > ;; ADDITIONAL SECTION: >>>> >> >> > ns1.isc-sns.net. 2488 IN A 72.52.71.1 >>>> >> >> > ns1.isc-sns.net. 166365 IN AAAA 2001:470:1a::1 >>>> >> >> > ns2.isc-sns.com. 2488 IN A 38.103.2.1 >>>> >> >> > ns3.isc-sns.info. 2488 IN A 63.243.194.1 >>>> >> >> > ns3.isc-sns.info. 79965 IN AAAA 2001:5a0:10::1 >>>> >> >> > >>>> >> >> > ;; Query time: 1 msec >>>> >> >> > ;; SERVER: 192.0.2.131#53(192.0.2.131) >>>> >> >> > ;; WHEN: Wed Dec 24 08:28:06 PST 2014 >>>> >> >> > ;; MSG SIZE rcvd: 277 >>>> >> >> > >>>> >> >> > Notice in the answer section of my simplified query via my local nameserver, >>>> >> >> > wfe0.ysv.freebsd.org is in the A record. I saw the same response in your >>>> >> >> > query, it was just harder to see. >>>> >> >> > >>>> >> >> > >>>> >> >> > _______________________________________________ >>>> >> >> > freebsd-questions@freebsd.org mailing list >>>> >> >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> >> >> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>>> >> >> _______________________________________________ >>>> >> >> freebsd-questions@freebsd.org mailing list >>>> >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> >> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>>> >> >> >>>> >> > >>>> >> > -- >>>> >> _______________________________________________ >>>> >> freebsd-questions@freebsd.org mailing list >>>> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>>> >> >>>> > >>>> > -- >>>> >>> >>> -- >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1354258214.74.1419525008685.JavaMail.zimbra>