Re: Sometimes DNS does not resolv domains

Mon, 09 Feb 2015 11:35:05 -0800 

Hello
Investigate if it's not related to the problems with EDNS0 support and the fallback mechanism in Bind, as described in this article: 

https://kb.isc.org/article/AA-01219/


It's described as one of the outstanding issues of both the latest 
versions of bind 9.9 and 9.10:



Refinements to EDNS fallback behavior in BIND 9.9.6 and 9.10.1 may 
prevent named (running as a recursive server) from attempting a final 
query using UDP without EDNS0 in some rare situations where prior 
queries using EDNS0 with both and TCP did not obtain usable answers.  
For more details see https://kb.isc.org/article/AA-01219/.



I am finding a lot of these errors lately, and I cannot find out if 
it's related or not:



09-Feb-2015 12:36:11.904 query-errors: debug 1: client 
109.80.225.36#34954 (ihned.cz): query failed (SERVFAIL) for 
ihned.cz/IN/AAAA at query.c:7025
09-Feb-2015 12:36:11.904 query-errors: debug 2: fetch completed at 
resolver.c:3080 for ihned.cz/AAAA in 0.000504: failure/success [domain:ihned.cz,referral:0,restart:2,qrysent:2,timeout:0,lame:0,neterr:2,badresp:0,adberr:0,findfail:0,valfail:0]



I can confirm that the server sometimes fails to resolve the requesed 
name, returning the SERVFAIL opcode.


--
S pozdravem,
Daniel Ryšlink
System Administrator


Hi, and thanks for the tips and replies.

I've now set up more detailed logging and I will know more when it
happens again.

-D


Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 02/08/2015 10:06 PM, Eliezer Croitoru wrote:

Hey David,

Do you have any logs enabled in your settings?
The logs can help a lot to minimize the issues.
There is a nice example of settings at:
http://stackoverflow.com/a/12114139

Which can be a starter to give you more then you have now.

Notice that the issue might come from something that is not in your 
hands at all.

You can decide which "channel" to enable or disable.

Also you can verify something in your config about dnssec.

If your server is now dnssec enabled try disabling it and see what 
happens.


Eliezer

On 08/02/2015 20:35, David Woodfall wrote:

Any ideas what might be causing this?

Version: bind-9.9.6_P1-x86_64-1_slack14.1

Thanks

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





















					Reply via email to