Thank you for your replies. This is an internal network with only 1
domain, no other DNS servers. I disabled recursion and its working good.
Eric
On 10/17/2010 8:44 PM, Mark Andrews wrote:
In
message<barmar-63054e.22484615102...@reserved-multicast-range-not-delegated.example.com>,
Barry Margo
lin writes:
In article<mailman.490.1287172931.555.bind-us...@lists.isc.org>,
Eric Ritchie<eritc...@interactivebrokers.com> wrote:
When doing a nslookup of a non-existent host on the same network as
the bind servers, there is a delay. If I do the same nslookup from a
host on a different network, the response is immediate.
My guess is that the server allows recursion for clients on the same
network, but doesn't allow it for clients on a different network. But
there's something blocking its ability to recurse.
You have two problem.
1. You don't have allow-recursion set to allow all your recursive
clients to recurse. When your off net clients try to recurse
they get REFUSED. This is why you get "quick" responses.
The default for allow-recursion is "{ localnets; localhost; };"
2. When you do attempt to recurse on behalf of the local clients
you can't reach the root servers. This results in a timeout.
I would be looking for a mis-configured firewall.
host a is on the same network as bind servers, host b is on different
network:
hostb$ nslookup dev600
Server: 131.210.30.200
Address: 131.210.30.200#53
** server can't find dev600: REFUSED
hosta $ nslookup dev600
;; connection timed out; no servers could be reached
tcpdump on server:
15:53:38.535453 IP hosta.ibg.28346> bindsrv.domain: 36663+ A? dev600.ibg.
(28)
15:53:38.535582 IP bindsrv.domain> hosta.ibg.28346: 36663 NXDomain* 0/1/0
(75)
15:53:38.535834 IP hosta.ibg.23719> bindsrv.domain: 44929+ A? dev600. (24)
15:53:21.233381 IP hostb.ibg.51921> bindsrv.domain: 38869+ A? dev600.ibg.
(28)
15:53:21.233750 IP bindsrv.domain> hostb.ibg.51921: 38869 NXDomain*- 0/1/0
(75)
15:53:21.234022 IP hostb.ibg.43283> bindsrv.domain: 41973+ A? dev600. (24)
15:53:21.234181 IP bindsrv.domain> hostb.ibg.43283: 41973 Refused- 0/0/0
(24)
We have several locations with similar setups and all see the same
issue. They are running different versions also, one is 9.4.2 and one is
9.7.0-P1. The /etc/resolv.conf file is:
search ibg
options rotate
options ndots:3
nameserver 131.210.30.200
nameserver 131.210.30.201
nameserver 131.210.30.202
nameserver 131.210.30.203
Thanks
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Eric Ritchie
Interactive Brokers LLC
203-618-5868
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
