On 11/18/2010 2:18 PM, Matus UHLAR - fantomas wrote:
On 17.11.10 11:10, Moore, Mark A. wrote:
nslookup www.cnn.com
;; Got SERVFAIL reply from 192.243.160.18, trying next server
On 11/18/2010 5:16 AM, Matus UHLAR - fantomas wrote:
This server apparently does not provide recursion for you.
On 18.11.10 12:44, Kevin Darcy wrote:
The OP already found the problem - - apparently the hints file wasn't
being loaded properly.
it was after my reply ;-)
However, for future reference in troubleshooting DNS problems through
interpretation of nslookup results, for the versions of nslookup I'm
familiar with, trying to do a lookup that requires recursion, from a
resolver that doesn't provide it, results in either
a) a goofy-looking referral response, if no searchlisting is being
performed, or
b) nslookup going off and doing searchlisted queries, and returning the
results of the *last* query it does (which is likely to be an NXDOMAIN
response, thus causing nslookup to mis-report the result of the overall
lookup as NXDOMAIN)
In neither case would it return SERVFAIL. That usually points to some
other root cause. My guess would have been that the resolver had no
connectivity to the Internet and had marked all of the root nameservers
as "lame". Mis-loading of the hints file apparently has the same
symptoms, although to be honest I don't think I've seen that before.
Last versions of BIND do not even return root referrals to clients that are
not allowed to recurse. Accesing hint zone is understood as recursion too.
...you may remember issue with flooding some servers with UDP responses to
spoofed queries for "." some time ago...
Have you checked with such server?
No, I haven't checked, but I would expect a REFUSED response in that case.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
