In message
<barmar-63054e.22484615102...@reserved-multicast-range-not-delegated.example.com>,
Barry Margo
lin writes:
> In article <mailman.490.1287172931.555.bind-us...@lists.isc.org>,
> Eric Ritchie <eritc...@interactivebrokers.com> wrote:
>
> > When doing a nslookup of a non-existent host on the same network as
> > the bind servers, there is a delay. If I do the same nslookup from a
> > host on a different network, the response is immediate.
>
> My guess is that the server allows recursion for clients on the same
> network, but doesn't allow it for clients on a different network. But
> there's something blocking its ability to recurse.
You have two problem.
1. You don't have allow-recursion set to allow all your recursive
clients to recurse. When your off net clients try to recurse
they get REFUSED. This is why you get "quick" responses.
The default for allow-recursion is "{ localnets; localhost; };"
2. When you do attempt to recurse on behalf of the local clients
you can't reach the root servers. This results in a timeout.
I would be looking for a mis-configured firewall.
> > host a is on the same network as bind servers, host b is on different
> > network:
> >
> > hostb$ nslookup dev600
> > Server: 131.210.30.200
> > Address: 131.210.30.200#53
> >
> > ** server can't find dev600: REFUSED
>
> > hosta $ nslookup dev600
> > ;; connection timed out; no servers could be reached
> >
> > tcpdump on server:
> > 15:53:38.535453 IP hosta.ibg.28346> bindsrv.domain: 36663+ A? dev600.ibg.
> > (28)
> > 15:53:38.535582 IP bindsrv.domain> hosta.ibg.28346: 36663 NXDomain* 0/1/0
> > (75)
> > 15:53:38.535834 IP hosta.ibg.23719> bindsrv.domain: 44929+ A? dev600. (24)
> >
> >
> > 15:53:21.233381 IP hostb.ibg.51921> bindsrv.domain: 38869+ A? dev600.ibg.
> > (28)
> > 15:53:21.233750 IP bindsrv.domain> hostb.ibg.51921: 38869 NXDomain*-
> > 0/1/0
> > (75)
> > 15:53:21.234022 IP hostb.ibg.43283> bindsrv.domain: 41973+ A? dev600. (24)
> > 15:53:21.234181 IP bindsrv.domain> hostb.ibg.43283: 41973 Refused- 0/0/0
> > (24)
> >
> >
> > We have several locations with similar setups and all see the same
> > issue. They are running different versions also, one is 9.4.2 and one is
> > 9.7.0-P1. The /etc/resolv.conf file is:
> >
> > search ibg
> > options rotate
> > options ndots:3
> > nameserver 131.210.30.200
> > nameserver 131.210.30.201
> > nameserver 131.210.30.202
> > nameserver 131.210.30.203
> >
> > Thanks
>
> --
> Barry Margolin, bar...@alum.mit.edu
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
