Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Apr 2017 22:57:22 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Strange Name Server Problem
Message-ID:  <c1f55892-b478-1454-a2e6-865a2e890fb0@FreeBSD.org>
In-Reply-To: <CAAdA2WM6_HW5jZZRZ4SE9ATLFgUDucYaPF_OSprrVOXjBZQ5yQ@mail.gmail.com>
References:  <CAAdA2WM6_HW5jZZRZ4SE9ATLFgUDucYaPF_OSprrVOXjBZQ5yQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Hu8jRnoGCOwhlOnO3idrW6u4fI8u5ajux
Content-Type: multipart/mixed; boundary="2sJUi6Pm0AgQdMv72tNpAk0FDFtehJpM5";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <c1f55892-b478-1454-a2e6-865a2e890fb0@FreeBSD.org>
Subject: Re: Strange Name Server Problem
References: <CAAdA2WM6_HW5jZZRZ4SE9ATLFgUDucYaPF_OSprrVOXjBZQ5yQ@mail.gmail.com>
In-Reply-To: <CAAdA2WM6_HW5jZZRZ4SE9ATLFgUDucYaPF_OSprrVOXjBZQ5yQ@mail.gmail.com>

--2sJUi6Pm0AgQdMv72tNpAk0FDFtehJpM5
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 20/04/2017 19:48, Odhiambo Washington wrote:
> I have a server running FreeBSD 11.0-STABLE.
>=20
> I am a little stumped why my local caching bind instance doesn't answer=

> queries. I have then opted to run bind on port 5353 and unbound on port=
 53.
> I still experience the same problem!
>=20
> root@waridi:/usr/local/etc/unbound # sockstat -l | grep named
> bind     named      50877 20 tcp4   192.168.27.254:5353   *:*
> bind     named      50877 21 tcp4   127.0.0.1:5353        *:*
> bind     named      50877 22 tcp4   127.0.0.1:953         *:*
> bind     named      50877 23 tcp6   ::1:953               *:*
> bind     named      50877 512 udp4  192.168.27.254:5353   *:*
> bind     named      50877 513 udp4  192.168.27.254:5353   *:*
> bind     named      50877 514 udp4  192.168.27.254:5353   *:*
> bind     named      50877 515 udp4  127.0.0.1:5353        *:*
> bind     named      50877 516 udp4  127.0.0.1:5353        *:*
> bind     named      50877 517 udp4  127.0.0.1:5353        *:*
> root@waridi:/usr/local/etc/unbound # sockstat -l | grep unb
> unbound  unbound    51296 3  udp4   127.0.0.1:53          *:*
> unbound  unbound    51296 4  tcp4   127.0.0.1:53          *:*
> unbound  unbound    51296 5  udp4   192.168.27.254:53     *:*
> unbound  unbound    51296 6  tcp4   192.168.27.254:53     *:*
> unbound  unbound    51296 10 udp4   *:29712               *:*
> unbound  unbound    51296 11 udp4   *:28511               *:*
> unbound  unbound    51296 13 udp4   *:35511               *:*
> unbound  unbound    51296 14 udp4   *:19644               *:*
> unbound  unbound    51296 15 udp4   *:22549               *:*
> unbound  unbound    51296 16 udp4   *:30714               *:*
> unbound  unbound    51296 17 udp4   *:11907               *:*
> unbound  unbound    51296 18 udp4   *:50834               *:*
> root@waridi:/usr/local/etc/unbound #
>=20
> Name resolution takes so long because it has to happen via the ISPs DNS=

> Servers, which are the 3rd and 4th options in /etc/resolv.conf
>=20
> I am actually lost as to where to start looking.
>=20

Have you tried turning up the logging levels for each of these programs?
 You can set them to log every single query -- this is not usually done
in production since it slows the server down, but for debugging
purposes, it is really useful.

How are you generating lookups?  It's best to use a tool like dig(1) --
this can query DNS directly and avoid all the added bits of NSS stuff
which helps you localise the problem better.

Can you tell if either of these programs is attempting to recurse DNS
queries for you?  You can use tcpdump to capture any port 53 traffic, or
else install dnstop which captures DNS traffic in a similar way and
displays various statistics about it.  Either of these should be able to
show you queries being made from your server to the root or other
authoritative servers and replies coming back.

You'll only tend to see the full sequence the first time you query for
something: most of the results will be cached and second and subsequent
lookups for the same thing will just be answered out of cache.  You can
clear the cache by 'rndc flush' or 'unbound-control flush_zone zonename'

Another thing to check is what ends up in the cache for either of those
recursive servers -- both rndc and unbound-control have options to dump
the cache in text format.

Is your local unbound cache using the unbound port or the built-in
local_unbound service?  If it's local unbound, did you run:

   service local_unbound setup

This will process your /etc/resolv.conf and add any nameservers
specified there as forwarders in the configuration it generates.

	Cheers,

	Matthew


--2sJUi6Pm0AgQdMv72tNpAk0FDFtehJpM5--

--Hu8jRnoGCOwhlOnO3idrW6u4fI8u5ajux
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJY+S7IXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATGoYP/0S1/96CYuHDcoduS8B+EvTa
/84062aD8W7p5CckJSMdFN4gm8QKFweNk/MXSEcgzl4djgbJyaZMPTMdEg6ALreH
xLvlEnPuRLeJA1xwWQEQPp2bSygo6pcN1EaGJtzPkcXXOjoWm2VpAgdvFer0Ist8
kPjxI7H0BimjLAMAWbHmhTE7ZH+B2tt017wi+NnfDVjSKfOYkX2smPhAiyt4Zu3+
8uNaYB+eUoW7E4yBUZUFcPGK1M1zea243/JSYTrvaNO0sLEsnPwwZ4BgENvVtkEB
0i/BdDZckY2kS0gJsl9jgVPASpb5Dt51/wmrQ7bI1Hlez6Wk3+w+SAAwdc9stpBd
NSi7DxPOWyq6nRUybzDF9zP8p4BxyxmoU0HKlH1xRUgFRO9sOoMVPWA9p0CJIevL
WnjTpiBOrYOPCWQTCoeGZfyoS9Bf1KhIc6lNw04e+ZMG+PzhVJKFoVoXDNWR6aoi
4JoQyRo0zMS8G8HT9H0grtPrmJS8Tajfeb184LvAZmqzrRLXrsnjYS1LXeX+zLQD
Vs87uiKwlcSFpuuOjhSfJk44KJGFPbsnwMNMJ+/Dao4YXKwFDEhtAv5Qvg9SBE0y
/WzRAlkmJqGIcFXnJiTmWKpap9cMS009RdK/yO9z8NrMRPgmRXPoitCeoRJyuwqD
YVUuRnT0sc+8/nKXDjQk
=fk5r
-----END PGP SIGNATURE-----

--Hu8jRnoGCOwhlOnO3idrW6u4fI8u5ajux--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c1f55892-b478-1454-a2e6-865a2e890fb0>