On 16/12/2014 02:25, Kevin Oberman wrote:
On Mon, Dec 15, 2014 at 10:02 AM, Marcelo Gondim
<gon...@bsdinfo.com.br <mailto:gon...@bsdinfo.com.br>> wrote:
Hi Kevin,
On 13/12/2014 23:44, Kevin Oberman wrote:
On Sat, Dec 13, 2014 at 4:26 AM, Marcelo Gondim
<gon...@bsdinfo.com.br <mailto:gon...@bsdinfo.com.br>>
wrote:
Dear,
I'm having trouble resolving domain name freebsd.org
<http://freebsd.org>. The portsnap server
works correctly but the pkg audit -F does not work and can
not even access
the site according to the following tests:
# host ec2-sa-east-1.portsnap.freebsd.org
<http://ec2-sa-east-1.portsnap.freebsd.org>
ec2-sa-east-1.portsnap.freebsd.org
<http://ec2-sa-east-1.portsnap.freebsd.org> has address
177.71.188.240
# host vuxml.freebsd.org <http://vuxml.freebsd.org>
Host vuxml.freebsd.org <http://vuxml.freebsd.org> not
found: 3(NXDOMAIN)
# host -a freebsd.org <http://freebsd.org>
Trying "freebsd.org <http://freebsd.org>"
Trying "freebsd.org.intnet.com.br
<http://freebsd.org.intnet.com.br>"
Host freebsd.org <http://freebsd.org> not found: 3(NXDOMAIN)
Received 86 bytes from ::1#53 in 0 ms
# host www.freebsd.org <http://www.freebsd.org>
;; connection timed out; no servers could be reached
Only the first address I'm having name resolution
(ec2-sa-east-1.portsnap.
freebsd.org <http://freebsd.org>).
My block IP: 186.193.48.0/20 <http://186.193.48.0/20>
One could check for any restrictions on our IP block?
I think a bit of DNS debugging is in order.
I could resolve all of the nodes you listed, but there are
some potential
issues I see. First, when looking up hostname with host(1),
always
terminate the name:
host -a freebsd.org <http://freebsd.org>.
Trying "freebsd.org <http://freebsd.org>"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24171
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
ADDITIONAL: 0
;; QUESTION SECTION:
;freebsd.org <http://freebsd.org>. IN TYPE255
;; ANSWER SECTION:
freebsd.org <http://freebsd.org>. 534 IN AAAA
2001:1900:2254:206a::50:0
freebsd.org <http://freebsd.org>. 534 IN MX 10
mx1.freebsd.org <http://mx1.freebsd.org>.
freebsd.org <http://freebsd.org>. 534 IN A
8.8.178.110
But "ANY" queries are fuzzy things at best as the first
resolver you hit
will just return whatever is cached and not try getting an
authoritative
response.
www.freebsd.org <http://www.freebsd.org> and vuxml.freebsd.org
<http://vuxml.freebsd.org> are CNAME entries pointing to the
same place, 8.8.178.110. This is in FreeBSD's own address
space from Yahoo
nd is probably in the mail FreeBSD cluster. I was a bit
surprised to find
that is is an Amazon AWS address, so the portsnap files are
actually coming
from a totally different place.
DNS is provided by ISC-SNS. 72.52.71.1, 38.103.2.1 and
63.243.194.1. Try
pinging these. Since BIND, the second oldest and most popular
DNS server is
written and supported by ISA, I would think that it is well
run. Try
pinging and tracing to these addresses. All of them are in
very dispersed
locations on different provider backbones. (Cogent, Hurricane
Electric, and
ISC, itself. You might try directing queries to each system to
see if one
fails when other succeed. Use "dig @servr-addr host".
Other tests:
# ping -c 5 NS1.ISC-SNS.NET <http://NS1.ISC-SNS.NET>
PING ns1.isc-sns.net <http://ns1.isc-sns.net> (72.52.71.1): 56
data bytes
64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=0 ttl=56
time=144.327 ms
64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=1 ttl=56
time=145.445 ms
64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=2 ttl=56
time=144.999 ms
64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=3 ttl=56
time=146.775 ms
64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=4 ttl=56
time=145.207 ms
--- ns1.isc-sns.net <http://ns1.isc-sns.net> ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 144.327/145.351/146.775/0.804 ms
# ping -c 5 NS2.ISC-SNS.COM <http://NS2.ISC-SNS.COM>
PING ns2.isc-sns.com <http://ns2.isc-sns.com> (38.103.2.1): 56
data bytes
64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=0 ttl=54
time=133.839 ms
64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=1 ttl=54
time=133.831 ms
64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=2 ttl=54
time=133.972 ms
64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=3 ttl=54
time=133.957 ms
64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=4 ttl=54
time=133.851 ms
--- ns2.isc-sns.com <http://ns2.isc-sns.com> ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 133.831/133.890/133.972/0.061 ms
# ping -c 5 NS3.ISC-SNS.INFO <http://NS3.ISC-SNS.INFO>
PING ns3.isc-sns.info <http://ns3.isc-sns.info> (63.243.194.1): 56
data bytes
64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=0
ttl=59 time=185.755 ms
64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=1
ttl=59 time=185.790 ms
64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=2
ttl=59 time=185.866 ms
64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=3
ttl=59 time=185.931 ms
64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=4
ttl=59 time=185.988 ms
--- ns3.isc-sns.info <http://ns3.isc-sns.info> ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 185.755/185.866/185.988/0.086 ms
# host -a freebsd.org <http://freebsd.org> 72.52.71.1
Trying "freebsd.org <http://freebsd.org>"
;; Truncated, retrying in TCP mode.
Using domain server:
Name: 72.52.71.1
Address: 72.52.71.1#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15306
;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 7
;; QUESTION SECTION:
;freebsd.org <http://freebsd.org>. IN TYPE255
;; ANSWER SECTION:
freebsd.org <http://freebsd.org>. 3600 IN SOA
ns0.freebsd.org <http://ns0.freebsd.org>. hostmaster.freebsd.org
<http://hostmaster.freebsd.org>. 2014121517 <tel:2014121517> 3600
900 604800 600
freebsd.org <http://freebsd.org>. 3600 IN RRSIG
SOA 8 2 3600 20141229134836 20141215162412 22689 freebsd.org
<http://freebsd.org>.
Li3FZ22mk+j4FbIRp7rQD/QS/m3UCFvMDqdUfdLBOPEpOiCTLue+5xFhtr6mLwJ6mYzbsATM3rHN/O+B1VF3VzytnOOYh0QvoqpjxwGcUWNAkAlOCFDrqaS5wp9PfWOBJ+1q+xbkgC/iwBmasqb06G1WpcvpRq9kYoZUum8RxAGuTQIYNhoDxUjU5r6yiTvWy3sCmpu02F846BcJ6+LBKhsd8OuOJYplYhjFOfszl8uQmUtyCxCDm9udsWHbNyVMPU/DeVPKSlBS5md1l07GcG2QDepH4ChxQZnejmhaXgi/6+680v7Ufgh51xb5QiU2Xg7ATwplvor2VwJphSwMAw==
freebsd.org <http://freebsd.org>. 3600 IN RRSIG
DNSKEY 8 2 3600 20141228141417 20141214022412 32659 freebsd.org
<http://freebsd.org>.
Cf1nX8IQROLxXzL9WTDJVRdHuGN344DnIzKrshoG9sbYkP/DTDMMt9mpDCUUz0HK0FgxhHw45oepm6+KMbydzZDWhK2+G/LPgyK5nzsxnaJc9EgHpg6OKCQw7HHDirfe8lr0es0Ab4mPicqMKg31r7272SEKJ6HGoezzW5wtokTJpegAGQhW+b8ZvpBqRcj3jYIU9HvBOJtn/ZNrXMg2mUP/tbkxDcBy7ssMNmy0s0GKu6Daqq1VSK0BKvEIPc/sUC+mKkUo259FkI2Lnfml3vsw+aV0behgp/VpoxRfotcNjFNJGhYGF0B0iwTQIdBnfMWlNXsQBnoQ8b7W+OLiRw==
freebsd.org <http://freebsd.org>. 0 IN RRSIG
NSEC3PARAM 8 2 0 20141219185954 20141206012400 22689 freebsd.org
<http://freebsd.org>.
ViAARy2wfDAUXV7AEzQFbge0hCJSU1/vusbRoWkaM1EVkOQbaCiSQ1PDanZmR4yQncdo2M3d4gJtIHgvZ5xzeo0/2AhlSVw/GAtWjJkqI/8rJZ2ZPtoXy6SJBcNAcGKTx74EjFN/TIxDIEXKNss2BNz3y57olnknvqgVpNjGu8jzc59aDww4+cgh9v7zuMG1YAncCnHwTIaxtsXN/K0jjKx9CtkVwJLJCRd4bthKyrPkBNMZ3cDOX27MlQFC7461WsPkNxsxFYfUWO4g8f41UUYzPX2c59tKm+qJB7s56KLihZIuBjTZnROyTkvFFcdG3ii9dzFqbEN8PMwJIS7bzw==
freebsd.org <http://freebsd.org>. 600 IN RRSIG
NS 8 2 600 20141221172508 20141207182403 22689 freebsd.org
<http://freebsd.org>.
ny0XoD9xYbSX5nHbDnl5iCIofSBlkwB8dPjeUcmKfyylrpiPVDkXfl+xfacqJj7DRvf5gF8fLhe0lwTu3cLeVXGf9L3UfD5N5sd61SxLLXy8gDHtjCQWS5/VYE4rIn6/leoqRD5YVPGJ1OWRBHSnVIjdib/R7XLLz6v8CMT4l+P42tDf7z56hjc3BNplcD/KjFfrEmoBlRIwvs9XaR3i+Qvl/0uKnGgeaXVvRMgCthC4J4oZKsBt0hpAhwy3ocOOGhp1uLV+/sBUd4ZMi0HG0G+OZbelVt01LE/7Kp5+4TA7i5Ubla8/kEcx7iKjqimnTb+0GF7+WrZbVe3MrTi9Jg==
freebsd.org <http://freebsd.org>. 600 IN RRSIG
TXT 8 2 600 20141221200324 20141207122402 22689 freebsd.org
<http://freebsd.org>.
uf81IQ/nUDeVhLtUw/g4ILoW3Pq1rl9ub8p4MBkuGxhpmZSpm1phmJ47xuDkEg137SwqdP/mIx/EIRZ1Oah5Hx1e0278qJSX1M9DMwscCjXl3uPTqgYfL/M9k15U3OJ3i9yI4Stsp6ORG3Rj4bYYYz3mzlSNV64ZOnkW9JfPu/GjEq21EXgF9SEABJr21dwEUeCpmng15MHpmpTIJIwkgdH4DC7Dh/glQ6yMDEcf6I4x63hmj4CWpChs18W94esshEfZVTeiKV7xFPvgrnsbrO660Jvua7XR3R4mqr9sqv2mXKJICNobBNx/IyAxw9vw5dE7ohFptPEH7DUDN/h4jw==
freebsd.org <http://freebsd.org>. 600 IN RRSIG
MX 8 2 600 20141222062628 20141208062403 22689 freebsd.org
<http://freebsd.org>.
exRPLUyRmbRbxQEYu989+agnNMIjXl7PsfPGW8xaoq2Dv0/GbOGnAPlSALg3MBPz8R+pL3MWiaexyi/1qxUF6n0tItn7hQhUla4jri7rMFzMUcvePPr6t5sF/MWkIC+15O5QlIUx/Bi0zUnUFPSXCKH3MWr0oqGNzzc3jSqsUlqBhQmZq3KCrSE62Tp3VDthFhZUSY29EAmmwnAlTxQR9ZX3eVEM5oJ5UrhFkBcMhv4jVtSN+OncYx4PQWHNk4DR9vY3FCVl48XqJ9ivln9vHOOCqfzl5oaSXeE6rnbHwEKpOZX65l24nPuNtKVPajYEAroK4xMqCdkPW4Ov0tw3zA==
freebsd.org <http://freebsd.org>. 600 IN RRSIG
A 8 2 600 20141221151124 20141207232403 22689 freebsd.org
<http://freebsd.org>.
VPOX9ep1tYDF7dFaY37zXAMHwd+ySWAeSAMa45btmNzCD/F1pkUi9wH57LPE3jtqeHF4coKfZCvzBED5KWfyYMDZsWOaTNA2Hxh4h+WRr4qK1FxeilvIDLYs1/ynGCcaAfTM8T7OwAueWx/x78bshaw8mkI8Pp38SpkHa0sL5T4/L9NP8NOUOP5I6zv2xFtqkcQBSWZLFElGHn3JBo3ZyGa9lUsjnNfNWwNCLcDbXG7aQCW88v+mxbnIq2lHogqOsYXQHnatpK7qV27c2XNB9ZuGmWq6zLFUFOXH1pDLf0ftIg70Evy+88RomIFLo9e9qNYI9WJk7Z51gL7ygA/YSg==
freebsd.org <http://freebsd.org>. 600 IN RRSIG
AAAA 8 2 600 20141222031959 20141208092403 22689 freebsd.org
<http://freebsd.org>.
U88G56Mlmb6l4xv+G+IdvLAQQ8g5quIvKVjBSTcC5QdO52C/kUGcoo2rE+phXqXK7j7vgcfEuSI2qP3FDCG2K1VUn19+oCHA/LVzx4sNGsVlqXDfieE7c48vVYeukalh7cCXQ53dGo/4Tpps3i/4IUtw7Wi/NjykJoi8PbzgqR7mrkcKD83l18XR0JNILvj1EQwuTZYIICcd+yfs2WU5IjXIv5ik3hVkxQA5GkJse+EfAvBuJRPkZ8yknRM93tRw95gBc6ntB9+3pqZ9QNPKRUl5i7HoBbkSlAr3iGJiBAOXAX4V3PGNG+tXHqbEVPn1DzsXojJSFUJGaXHA9VFSpw==
freebsd.org <http://freebsd.org>. 3600 IN
DNSKEY 256 3 8
AwEAAc48eD98O70LmwN5RQ5i1vaP9BURkyvOiVNbztyVOCbPsZMIxDVZULFGLeEKmUR9UbutNoizdVi+XDGXgbfvQTZczkCUJNvBCxVglssyxnMMDjxf4p6TfuTTAW7EK6BDGVGkU3yBbfFYRYDeRep3g2CHH5/juU6MGMDElYYAhULICw3QRJjzMJFezvV0D1Mql53otXJ2J0BVhNBbF/1HSYRhVrFCSnpo1OORbNEuCudBr5WDBsZ3TdFehf74fYQP8XZEKqwirUvGcrlvDCPncPFtoLj3BWNvecsAwBrRbVzwTMVZHV95SXSq5VzjiXsf4U/UMQ5xOE5t4370msqPScM=
freebsd.org <http://freebsd.org>. 3600 IN
DNSKEY 257 3 8
AwEAAd1zS5J5X1kQqoufYTOGrPaUnlgBxllrFE1rGLJ3qDWEEETjszjal7IeJMmn/VhC6a2txXeob5is1/8Z6KWxpAhqIiw+l9JmD9sD/dOI9Yyk/AIyhSPguqV9+zBkfrp9I0BUuwxO/Rs+VgnqwQquyDGWRFQTtckPkptHKMTt44F8VyGcg+WVHOAXAsdGAC2SK1MVbSnMnRvZjYRHS3qc8at/h7soSib9TGNG9i+UD2mZyefcUUxsSll7TvUURA1dW13UP3U4/JlUM0qwA8Lk7pho/Or61Sci+yiqKijAdHu+dY3yGESkZ2rm4PBYYbm44ftefYXX5Hd5w20MXe5Lym8=
freebsd.org <http://freebsd.org>. 3600 IN
DNSKEY 256 3 8
AwEAAdCGUpcdxSMYspciWP5aJa3f0Lr5oW1BkSnSGe4TO4+HVy8f+40q7uHtpaI7MMl5+2HAtjxgaZIVGBM3zqiCvW3KXjv+TRKLIBJTxStYu9ped0JWCqAXfYIhD5Tw2uvNKU0CLTJP9PQuEz8K5Yd7Zsy6N49/zAbovyhL5Ciax+BPcA8FTZ6io+m1Gw43+i2UOAs5yAeWsjaYsCwV4Ye7FdPwuQ5z/MMszr9XwBzFJdlQyJFpyAPNcdAiplnSWAg7oo8t221+sRsY/ZMOgi4WeIZAPM71Fq0LEi+GUxgjUdYs7MtehsmyRgZjum3AJyJfaf2gZRQH5Dw0aIR/G1lUwEc=
freebsd.org <http://freebsd.org>. 0 IN
NSEC3PARAM 1 0 100 10238ec3108d6756
freebsd.org <http://freebsd.org>. 600 IN NS
ns3.isc-sns.info <http://ns3.isc-sns.info>.
freebsd.org <http://freebsd.org>. 600 IN NS
ns2.isc-sns.com <http://ns2.isc-sns.com>.
freebsd.org <http://freebsd.org>. 600 IN NS
ns1.isc-sns.net <http://ns1.isc-sns.net>.
freebsd.org <http://freebsd.org>. 600 IN TXT
"v=spf1 redirect=_spf.freebsd.org <http://spf.freebsd.org>"
freebsd.org <http://freebsd.org>. 600 IN MX
10 mx1.freebsd.org <http://mx1.freebsd.org>.
freebsd.org <http://freebsd.org>. 600 IN A
8.8.178.110
freebsd.org <http://freebsd.org>. 600 IN AAAA
2001:1900:2254:206a::50:0
;; ADDITIONAL SECTION:
ns1.isc-sns.net <http://ns1.isc-sns.net>. 3600 IN A
72.52.71.1
ns1.isc-sns.net <http://ns1.isc-sns.net>. 3600 IN
AAAA 2001:470:1a::1
ns2.isc-sns.com <http://ns2.isc-sns.com>. 3600 IN A
38.103.2.1
ns3.isc-sns.info <http://ns3.isc-sns.info>. 3600 IN
A 63.243.194.1
ns3.isc-sns.info <http://ns3.isc-sns.info>. 3600 IN
AAAA 2001:5a0:10::1
mx1.freebsd.org <http://mx1.freebsd.org>. 600 IN A
8.8.178.115
mx1.freebsd.org <http://mx1.freebsd.org>. 600 IN
AAAA 2001:1900:2254:206a::19:1
Received 3670 bytes from 72.52.71.1#53 in 298 ms
So this server did return the requested information. You should really
use dig(1) for debugging. It provides more information like whether
the AA bit is set, DNSSEC data, etc.
Hi Kevin,
I am still unsure why you are issuing ANY queries, though. If you want
details, use "host -v". Since you are querying an authoritative
resolver, you are not dependent on what is in cache, but the UDP reply
is over 2K that is truncated and the query is re-issued via TCP. This
means that the behavior is entirely different than a query for just
address information.
Free access to the service ports 53/tcp and 53/udp.
Another thing I noticed was that it started to happen after I updated
the bind (ports).
# pkg info bind99
bind99-9.9.6P1
Name : bind99
Version : 9.9.6P1
Installed on : Fri Dec 12 09:33:33 BRST 2014
Origin : dns/bind99
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : net ipv6 dns
Licenses : ISCL
Maintainer : m...@freebsd.org
WWW : https://www.isc.org/software/bind
Comment : BIND DNS suite with updated DNSSEC and DNS64
Options :
DLZ_BDB : off
DLZ_FILESYSTEM : off
DLZ_LDAP : off
DLZ_MYSQL : off
DLZ_POSTGRESQL : off
DLZ_STUB : off
DOCS : on
FILTER_AAAA : off
FIXED_RRSET : off
GOST : off
GSSAPI_BASE : off
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
GSSAPI_NONE : on
IDN : on
IPV6 : on
LARGE_FILE : off
LINKS : on
NEWSTATS : off
PYTHON : off
REPLACE_BASE : off
RPZ_NSDNAME : off
RPZ_NSIP : off
RPZ_PATCH : off
RRL : on
SIGCHASE : off
SSL : on
THREADS : on
I would do:
# dig @72.52.71.1 <http://72.52.71.1> freebsd.org <http://freebsd.org>.
# dig @38.103.2.1 <http://38.103.2.1> freebsd.org <http://freebsd.org>.
# dig @8.8.178.115 <http://8.8.178.115> freebsd.org <http://freebsd.org>.
# dig @72.52.71.1 freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> @72.52.71.1 freebsd.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42090
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freebsd.org. IN A
;; ANSWER SECTION:
freebsd.org. 600 IN A 8.8.178.110
;; AUTHORITY SECTION:
freebsd.org. 600 IN NS ns2.isc-sns.com.
freebsd.org. 600 IN NS ns3.isc-sns.info.
freebsd.org. 600 IN NS ns1.isc-sns.net.
;; ADDITIONAL SECTION:
ns1.isc-sns.net. 3600 IN A 72.52.71.1
ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1
ns2.isc-sns.com. 3600 IN A 38.103.2.1
ns3.isc-sns.info. 3600 IN A 63.243.194.1
ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1
;; Query time: 182 msec
;; SERVER: 72.52.71.1#53(72.52.71.1)
;; WHEN: Tue Dec 16 10:27:56 BRST 2014
;; MSG SIZE rcvd: 248
# dig @38.103.2.1 freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> @38.103.2.1 freebsd.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40912
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freebsd.org. IN A
;; ANSWER SECTION:
freebsd.org. 600 IN A 8.8.178.110
;; AUTHORITY SECTION:
freebsd.org. 600 IN NS ns2.isc-sns.com.
freebsd.org. 600 IN NS ns1.isc-sns.net.
freebsd.org. 600 IN NS ns3.isc-sns.info.
;; ADDITIONAL SECTION:
ns1.isc-sns.net. 3600 IN A 72.52.71.1
ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1
ns2.isc-sns.com. 3600 IN A 38.103.2.1
ns3.isc-sns.info. 3600 IN A 63.243.194.1
ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1
;; Query time: 136 msec
;; SERVER: 38.103.2.1#53(38.103.2.1)
;; WHEN: Tue Dec 16 10:32:03 BRST 2014
;; MSG SIZE rcvd: 248
# dig @8.8.178.115 freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> @8.8.178.115 freebsd.org.
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Once your resolvers have cached the NS records, they should directly
query the servers shown and not walk the full tree. From the NXDOMAIN
replies, it looks like some system is lying about things. I'm going to
guess that system is incorrectly responding with NXDOMAIN when some
other error is occurring. That system is probably close to you. Try:
# dig freebsd.org <http://freebsd.org>.
# dig freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> freebsd.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61747
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freebsd.org. IN A
;; Query time: 2995 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Dec 16 10:30:25 BRST 2014
;; MSG SIZE rcvd: 40
That will do a standard query to what ever recursive resolver you
normally use. It will, hopefully, point at the culprit. It is also
possible that it is a firewall issue, where some security software is
sending a NXDOMAIN server to prevent further queries. This is only a
guess, but there are a limited number of places where the problem
might be generated and experience tells me it is almost certainly
close to your system.
I am suspicious that it's some recent filter due to last vulnerability
of bind. It could not be?
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkober...@gmail.com <mailto:rkober...@gmail.com>
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
