Re: Recursive queries not working

Mon, 23 Jan 2012 14:58:32 -0800

Offhand, it looks like you might have DNSSEC validation turned on (thus making responses from the GTLD nameservers bigger than 512 bytes; note that all of the GTLD-server responses in that tcpdump have truncation flagged), your EDNS0 buffer tuned down to 512 bytes ("edns-udp-size 512", thus eliminating UDP as an option for those big responses), and then something in your network is sending RSTs to every attempt at a DNS/TCP connection (thus eliminating TCP as an option too).
Something's gotta give. You can't expect reasonable resolution while all 3 of those conditions prevail. 


Note that your "dig"s don't have +dnssec, +bufsize=xxxxx, or +norec, so 
they're really not an apples-to-apples comparison to what named itself 
is generating.



                                                                        
                                                                        
    - Kevin

On 1/23/2012 4:06 PM, Steven Vona wrote:

I am posting here as a last resort and hope someone can help me.


I am running RHEL6 and installed bind-chroot package. I have tried 
everything, and even posted to a linux forum I belong to for help.  
After three pages and a boat load of troubleshooting no resolution.



Here is a link to the 3 page forum thread if your interested in seeing 
all that we tried to do. There is debug information and even tcpdump 
info in there.

http://www.linuxquestions.org/questions/linux-server-73/bind-dns-recursion-now-working-924978/


If anyone can help it would be greatly appreciated.  If you need any 
more information please let me know.



This DNS server does not answer recursive queries.  Here is my config.

options {
    directory     "/var/named";
    allow-query { any; };
    recursion yes;
        edns-udp-size 512;
        listen-on-v6 { none; };
};
logging{
        channel query_log {
        file "ns1-bind.log" versions unlimited size 100m;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
        };
        category xfer-in{ query_log; };
        category xfer-out{ query_log; };
        category update{ query_log; };
        category general{ query_log; };
        category queries{ query_log; };
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

key "dnsadmin" {
    algorithm hmac-md5;
    secret "pjbruihfeuhruehferfw=";
};

controls {
  inet 127.0.0.1 allow { localhost; } keys { dnsadmin; };
};


zone "." IN {
    type hint;
    file "named.ca <http://named.ca>";
};

include "/etc/named.rfc1912.zones";





When I try to query google.com <http://google.com> it just hangs then 
returns a servfail:

# dig @localhost google.com <http://google.com>


; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @localhost 
google.com <http://google.com>

; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58542
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com <http://google.com>.            IN    A

;; Query time: 2695 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 23 16:01:27 2012
;; MSG SIZE  rcvd: 28


If I do a dig with +trace at the end it works:
[root@ns1 etc]# dig @localhost google.com <http://google.com> +trace


; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> @localhost 
google.com <http://google.com> +trace

; (2 servers found)
;; global options: +cmd

.            518342    IN    NS d.root-servers.net 
<http://d.root-servers.net>.
.            518342    IN    NS c.root-servers.net 
<http://c.root-servers.net>.
.            518342    IN    NS b.root-servers.net 
<http://b.root-servers.net>.
.            518342    IN    NS a.root-servers.net 
<http://a.root-servers.net>.
.            518342    IN    NS l.root-servers.net 
<http://l.root-servers.net>.
.            518342    IN    NS f.root-servers.net 
<http://f.root-servers.net>.
.            518342    IN    NS g.root-servers.net 
<http://g.root-servers.net>.
.            518342    IN    NS j.root-servers.net 
<http://j.root-servers.net>.
.            518342    IN    NS e.root-servers.net 
<http://e.root-servers.net>.
.            518342    IN    NS h.root-servers.net 
<http://h.root-servers.net>.
.            518342    IN    NS i.root-servers.net 
<http://i.root-servers.net>.
.            518342    IN    NS m.root-servers.net 
<http://m.root-servers.net>.
.            518342    IN    NS k.root-servers.net 
<http://k.root-servers.net>.

;; Received 340 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms


com.            172800    IN    NS a.gtld-servers.net 
<http://a.gtld-servers.net>.
com.            172800    IN    NS b.gtld-servers.net 
<http://b.gtld-servers.net>.
com.            172800    IN    NS c.gtld-servers.net 
<http://c.gtld-servers.net>.
com.            172800    IN    NS d.gtld-servers.net 
<http://d.gtld-servers.net>.
com.            172800    IN    NS e.gtld-servers.net 
<http://e.gtld-servers.net>.
com.            172800    IN    NS f.gtld-servers.net 
<http://f.gtld-servers.net>.
com.            172800    IN    NS g.gtld-servers.net 
<http://g.gtld-servers.net>.
com.            172800    IN    NS h.gtld-servers.net 
<http://h.gtld-servers.net>.
com.            172800    IN    NS i.gtld-servers.net 
<http://i.gtld-servers.net>.
com.            172800    IN    NS j.gtld-servers.net 
<http://j.gtld-servers.net>.
com.            172800    IN    NS k.gtld-servers.net 
<http://k.gtld-servers.net>.
com.            172800    IN    NS l.gtld-servers.net 
<http://l.gtld-servers.net>.
com.            172800    IN    NS m.gtld-servers.net 
<http://m.gtld-servers.net>.
;; Received 488 bytes from 199.7.83.42#53(l.root-servers.net 
<http://l.root-servers.net>) in 42 ms



google.com <http://google.com>.        172800    IN    NS 
ns2.google.com <http://ns2.google.com>.
google.com <http://google.com>.        172800    IN    NS 
ns1.google.com <http://ns1.google.com>.
google.com <http://google.com>.        172800    IN    NS 
ns3.google.com <http://ns3.google.com>.
google.com <http://google.com>.        172800    IN    NS 
ns4.google.com <http://ns4.google.com>.
;; Received 164 bytes from 192.54.112.30#53(h.gtld-servers.net 
<http://h.gtld-servers.net>) in 97 ms


google.com <http://google.com>.        300    IN    A    74.125.115.99
google.com <http://google.com>.        300    IN    A    74.125.115.106
google.com <http://google.com>.        300    IN    A    74.125.115.104
google.com <http://google.com>.        300    IN    A    74.125.115.103
google.com <http://google.com>.        300    IN    A    74.125.115.105
google.com <http://google.com>.        300    IN    A    74.125.115.147

;; Received 124 bytes from 216.239.32.10#53(ns1.google.com 
<http://ns1.google.com>) in 30 ms


You have new mail in /var/spool/mail/root



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





















					Reply via email to