Problem resolving one particular domain

Wed, 27 Jul 2011 01:03:55 -0700 

Hi,
I'm running three DNS servers (1 master, 2 slaves) running bind 9.7.3, hosting about 150 domains, while also providing DNS service for my network. 


Recently a customer complained that they cannot send an email (they use 
my SMTP server) to a specific domain 'rabobank.com' - Postfix logged 
this error: 'Host or domain name not found.'



Initially I thought there was a problem with the domain, so I checked 
with 'dig' only to find that it really cannot resolve anything regarding 
this domain. Then I checked domain registration using 'whois' and it 
seemed OK.



So I used 'dig' to query my ISP's DNS server, which resolved the domain 
in question without a problem. For a quick fix I just configured my 
named to use forwarders.



But I would like to get to the bottom of this, so I did some more 
testing without forwarders. The domain is using three name servers:



# dig +short ns rabobank.com @ns1.telemach.net
ns2.rabobank.nl.
ns.rabobank.nl.
ns.nl.net.



Incidentally there is also the domain 'rabobank.nl' that uses those same 
servers:



# dig +short ns rabobank.nl @ns1.telemach.net
ns2.rabobank.nl.
ns.nl.net.
ns.rabobank.nl



Weirdness number 1 - I cannot resolve 'rabobank.com', yet I can resolve 
'rabobank.nl':



# dig ns rabobank.com

; <<>> DiG 9.7.3-P1 <<>> ns rabobank.com
;; global options: +cmd
;; connection timed out; no servers could be reached



# dig ns rabobank.nl

; <<>> DiG 9.7.3-P1 <<>> ns rabobank.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4961
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;rabobank.nl.                   IN      NS

;; ANSWER SECTION:
rabobank.nl.            3188    IN      NS      ns.rabobank.nl.
rabobank.nl.            3188    IN      NS      ns.nl.net.
rabobank.nl.            3188    IN      NS      ns2.rabobank.nl.

;; ADDITIONAL SECTION:
ns.nl.net.              85663   IN      A       193.78.240.1
ns.rabobank.nl.         3032    IN      A       145.72.79.222
ns2.rabobank.nl.        2879    IN      A       145.72.79.221

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 27 09:38:11 2011
;; MSG SIZE  rcvd: 135



Weirdness number 2 - using dig directly with their servers works:


# dig ns rabobank.com @145.72.79.221

; <<>> DiG 9.7.3-P1 <<>> ns rabobank.com @145.72.79.221
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47023
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;rabobank.com.                  IN      NS

;; ANSWER SECTION:
rabobank.com.           3600    IN      NS      ns2.rabobank.nl.
rabobank.com.           3600    IN      NS      ns.nl.net.
rabobank.com.           3600    IN      NS      ns.rabobank.nl.

;; Query time: 39 msec
;; SERVER: 145.72.79.221#53(145.72.79.221)
;; WHEN: Wed Jul 27 09:39:46 2011
;; MSG SIZE  rcvd: 99



I tried the same with all three servers. So I guess it's not a network 
problem...




I thought 'dig +trace' would give some answers, but it seems it doesn't 
even use my named to resolve the domain - instead it seems to talk 
directly to root server and the target server:



# dig +trace ns rabobank.com

; <<>> DiG 9.7.3-P1 <<>> +trace ns rabobank.com
;; global options: +cmd
.                       517503  IN      NS      m.root-servers.net.
.                       517503  IN      NS      d.root-servers.net.
.                       517503  IN      NS      g.root-servers.net.
.                       517503  IN      NS      k.root-servers.net.
.                       517503  IN      NS      j.root-servers.net.
.                       517503  IN      NS      b.root-servers.net.
.                       517503  IN      NS      h.root-servers.net.
.                       517503  IN      NS      e.root-servers.net.
.                       517503  IN      NS      l.root-servers.net.
.                       517503  IN      NS      i.root-servers.net.
.                       517503  IN      NS      a.root-servers.net.
.                       517503  IN      NS      c.root-servers.net.
.                       517503  IN      NS      f.root-servers.net.
;; Received 276 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 490 bytes from 193.0.14.129#53(k.root-servers.net) in 42 ms

rabobank.com.           172800  IN      NS      ns.rabobank.nl.
rabobank.com.           172800  IN      NS      ns2.rabobank.nl.
;; Received 76 bytes from 192.31.80.30#53(d.gtld-servers.net) in 134 ms

rabobank.com.           3600    IN      NS      ns.nl.net.
rabobank.com.           3600    IN      NS      ns2.rabobank.nl.
rabobank.com.           3600    IN      NS      ns.rabobank.nl.
;; Received 99 bytes from 145.72.79.222#53(ns.rabobank.nl) in 40 ms



I also tried fiddling with the 'edns-udp-size', but that didn't change a 
thing....




I also used 'tcpdump' to trace packets on my router's outbound interface 
and I see UDP packets going out:



09:53:23.643138 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  7984 
[1au] A? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 5640, 
len 71)
09:53:23.643608 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
13083 [1au] AAAA? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, 
id 5641, len 72)
09:53:23.652644 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
36595 [1au] A? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, id 
5642, len 72)
09:53:23.664342 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
39678 [1au] AAAA? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, 
id 5643, len 71)
09:53:23.680147 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  65295 
[1au] A? ns4.nic.nl. ar: . OPT UDPsize=512 (39) (ttl 63, id 3123, len 67)
09:53:23.714178 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
65295*-% q: A? ns4.nic.nl. 1/0/1 ns4.nic.nl. A 95.142.99.212 ar: . OPT 
UDPsize=4096 (55) (DF) (ttl 242, id 44797, len 83)
09:53:24.443378 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  54272 
[1au] A? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 3124, 
len 71)
09:53:24.444144 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  52158 
[1au] AAAA? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, id 
3125, len 72)
09:53:24.453190 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  27942 
[1au] A? ns2.rabobank.nl. ar: . OPT UDPsize=512 (44) (ttl 63, id 3126, 
len 72)
09:53:24.464938 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  63331 
[1au] AAAA? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 
3127, len 71)
09:53:24.477335 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
54272*-% q: A? ns.rabobank.nl. 1/0/1 ns.rabobank.nl. A 145.72.79.222 
ar: . OPT UDPsize=4096 (59) (DF) (ttl 242, id 44798, len 87)
09:53:24.477662 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
38139 [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 
5644, len 69)
09:53:24.478210 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
52158*-% q: AAAA? ns2.rabobank.nl. 0/1/1 ns: rabobank.nl. SOA 
ns.rabobank.nl. name-it.rn.rabobank.nl. 2001087706 3600 600 1209600 
600 ar: . OPT UDPsize=4096 (94) (DF) (ttl 242, id 44799, len 122)
09:53:24.487420 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
27942*-% q: A? ns2.rabobank.nl. 1/0/1 ns2.rabobank.nl. A 145.72.79.221 
ar: . OPT UDPsize=4096 (60) (DF) (ttl 242, id 44800, len 88)
09:53:24.499399 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
63331*-% q: AAAA? ns.rabobank.nl. 0/1/1 ns: rabobank.nl. SOA 
ns.rabobank.nl. name-it.rn.rabobank.nl. 2001087706 3600 600 1209600 
600 ar: . OPT UDPsize=4096 (90) (DF) (ttl 242, id 44801, len 118)
09:53:24.621135 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  58122 
[1au] AAAA? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63, id 
3128, len 71)
09:53:24.655239 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
58122*-% q: AAAA? ns.rabobank.nl. 0/1/1 ns: rabobank.nl. SOA 
ns.rabobank.nl. name-it.rn.rabobank.nl. 2001087706 3600 600 1209600 
600 ar: . OPT UDPsize=4096 (90) (DF) (ttl 242, id 44802, len 118)
09:53:25.278468 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  
20564 [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 
22314, len 69)
09:53:26.879203 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
62265 [1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 
5645, len 69)
09:53:28.480190 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  5708 
[1au] MX? rabobank.com. ar: . OPT UDPsize=512 (41) (ttl 63, id 22315, 
len 69)
09:53:31.682125 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
22613 MX? rabobank.com. (30) (ttl 63, id 5646, len 58)
09:53:34.883990 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  
33010 MX? rabobank.com. (30) (ttl 63, id 22316, len 58)
09:53:41.287865 178.79.70.66.53 > 145.72.79.222.53: [udp sum ok]  
64414 MX? rabobank.com. (30) (ttl 63, id 5647, len 58)
09:53:47.691600 178.79.70.66.53 > 145.72.79.221.53: [udp sum ok]  
32401 MX? rabobank.com. (30) (ttl 63, id 22317, len 58)


If I try to resolve 'rabobank.nl', I only see these packets:


09:54:40.319835 178.79.70.66.53 > 193.78.240.1.53: [udp sum ok]  31758 
[1au] MX? rabobank.nl. ar: . OPT UDPsize=512 (40) (ttl 63, id 3129, 
len 68)
09:54:40.353814 193.78.240.1.53 > 178.79.70.66.53: [udp sum ok]  
31758*- q: MX? rabobank.nl. 1/0/1 rabobank.nl. MX mail01.rabobank.nl. 
5 ar: . OPT UDPsize=4096 (63) (DF) (ttl 242, id 55891, len 91)


AND I get the response.


Soooo... Any ideas?



   Danilo

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to