Odd query issue
I'm troubleshooting an issue with internal resolution of a domain. I
have 2 identical slave servers that resolve for domains that have been
delegated to our group. However, while one of the servers can
successfully provide the responses, the other cannot. I've checked with
the network gurus to verify there is not a possibility of a firewall or
IPS rule causing the issue, but came back empty-handed.
Here's the breakdown (please don't laugh at the antiques...):
Sun V210's running Solaris 5.8
BIND 9.5.1-P3
...
zone "blah.com" {
type slave;
file "/slave/db.blah.com";
masters { 10.xxx.xxx.xxx; };
allow-transfer { none; };
allow-query { "all-clients"; };
};
...
# Query local server (one with issues) fails
$ dig www.blah.com.
; <<>> DiG 9.5.1-P3 <<>> www.blah.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1735
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
; www.blah.com. IN A
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 2 14:12:48 2010
;; MSG SIZE rcvd: 29
# Query master directly or twin server from problem server succeeds
$ dig @10.xxx.xxx.xxx www.blah.com.
; <<>> DiG 9.5.1-P3 <<>> @10.xxx.xxx.xxx www.blah.com.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 341
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
; www.blah.com. IN A
;; ANSWER SECTION:
www.blah.com.300 IN A 10.xxx.xxx.xxx
;; Query time: 34 msec
;; SERVER: 10.xxx.xxx.xxx #53(10.xxx.xxx.xxx)
;; WHEN: Mon Aug 2 14:14:16 2010
;; MSG SIZE rcvd: 45
Any ideas to point me in the right direction?
Thanks,
Brian
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd query issue
On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote: > Any ideas to point me in the right direction? What do the log files show surrounding the query? AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Odd query issue
Alan, Nice to see some class lurking on this list! ;) I don't see much of anything on this side other than the query portion: ... 02-Aug-2010 16:19:36.610 queries: info: client 172.xxx.xxx.xxx#1845: query: www.blah.com IN A + ... We're extremely limited on disk space on these servers, so we only capture the most basic info. I don't have access to the masters on the other side, so I can't check the logs there, either. I ran a couple of tcpdump/snoop sessions on both the good/questionable servers and a client machine, no issues were noted. Since I sent the original e-mail, though, I found that the 'good' server hasn't received any new transfers for that zone since the other one stopped providing successful queries. Just for giggles, I stopped the named service, removed the slave db files, and restarted the service. The 'good' server started mimicking the bad server. My suspicion is that the firewall/IPS gurus didn't check everything and that there is something blocking the queries/transfers. Brian -Original Message- From: bind-users-bounces+brian.atkins2=va@lists.isc.org [mailto:bind-users-bounces+brian.atkins2=va@lists.isc.org] On Behalf Of Alan Clegg Sent: Monday, August 02, 2010 11:50 AM To: bind-users@lists.isc.org Subject: Re: Odd query issue On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote: > Any ideas to point me in the right direction? What do the log files show surrounding the query? AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange IPv6 messages
Dear all, I have a simple question, when reloading Bind, I get these messages, and later on in the logs, the transfer seems to work with IPv4. Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:620::4#53 Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:418:1::39#53 What should I do to avoid these messages, and why are they appearing ? We have BIND 9.5.1-P2 Thanks a lot for any help :-) Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd query issue
1. Zone has expired (to confirm: check logs)
2. Corrupted/truncated journal file (to confirm: check logs, or, shut
down gracefully, delete journal and start up again)
3. www.blah.com is a delegation in your slave copy of the zone, and the
delegated nameservers are all returning SERVFAIL, are lame, give bogus
answers, some combination of the above, etc. (to confirm: do the lookup
non-recursively, or a zone transfer of blah.com; if www.blah.com shows
as a delegation, query the delegated nameservers directly and see what
they return)
- Kevin
On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote:
I'm troubleshooting an issue with internal resolution of a domain. I
have 2 identical slave servers that resolve for domains that have been
delegated to our group. However, while one of the servers can
successfully provide the responses, the other cannot. I've checked with
the network gurus to verify there is not a possibility of a firewall or
IPS rule causing the issue, but came back empty-handed.
Here's the breakdown (please don't laugh at the antiques...):
Sun V210's running Solaris 5.8
BIND 9.5.1-P3
...
zone "blah.com" {
type slave;
file "/slave/db.blah.com";
masters { 10.xxx.xxx.xxx; };
allow-transfer { none; };
allow-query { "all-clients"; };
};
...
# Query local server (one with issues) fails
$ dig www.blah.com.
;<<>> DiG 9.5.1-P3<<>> www.blah.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1735
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
; www.blah.com. IN A
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 2 14:12:48 2010
;; MSG SIZE rcvd: 29
# Query master directly or twin server from problem server succeeds
$ dig @10.xxx.xxx.xxx www.blah.com.
;<<>> DiG 9.5.1-P3<<>> @10.xxx.xxx.xxx www.blah.com.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 341
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
; www.blah.com. IN A
;; ANSWER SECTION:
www.blah.com.300 IN A 10.xxx.xxx.xxx
;; Query time: 34 msec
;; SERVER: 10.xxx.xxx.xxx #53(10.xxx.xxx.xxx)
;; WHEN: Mon Aug 2 14:14:16 2010
;; MSG SIZE rcvd: 45
Any ideas to point me in the right direction?
Thanks,
Brian
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange IPv6 messages
On 08/02/10 14:43, Denis BUCHER wrote: > Dear all, > > I have a simple question, when reloading Bind, I get these messages, and > later on in the logs, the transfer seems to work with IPv4. > > Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving > '(host)/A/IN': 2001:620::4#53 > Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving > '(host)/A/IN': 2001:418:1::39#53 > > What should I do to avoid these messages, and why are they appearing ? > > We have BIND 9.5.1-P2 First, that's an older version, it's generally a good idea to stay current with nameserver software. If you have any plans to do DNSSEC validation now, or in the near future, I strongly suggest you evaluate the latest version of either 9.7.x or 9.6.x. At minimum you should upgrade to the latest version of 9.5.x. Second, you didn't mention whether or not you actually HAVE IPv6 transport. Both servers answer fine for me over IPv6 (as I expect they would) so I'm guessing you don't. If that's accurate, you need to tell named to stop trying to make requests over it. Since you didn't indicate what OS you're running, 'man named' is probably your safest bet to find the answer. hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to handle SPF records for spilt dns
Greetings i have an internal dns server it resolvs all my queries from the inside. I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external. i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside? any insight suggestions and flames welcome -j ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to handle SPF records for spilt dns
On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote: > Greetings > > i have an internal dns server it resolvs all my queries from the inside. > I have a mail system requesting an spf record. Should i add the same record > on the inside as i do for the outside ? i don't want internal address space > to mess with external. > > i would say just place it on my external dns. But it's an internal content > filter that is asking for the record, so then shouldn't place it on the > inside? > > any insight suggestions and flames welcome > Hi, Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests? If postfix (since its the MTA used in your post, youm likely are), use: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o receive_override_options=no_milters But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals). Cheers Noel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to handle SPF records for spilt dns
On Aug 2, 2010, at 10:23 PM, Noel Butler wrote: > On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote: >> >> Greetings >> >> i have an internal dns server it resolvs all my queries from the inside. >> I have a mail system requesting an spf record. Should i add the same record >> on the inside as i do for the outside ? i don't want internal address space >> to mess with external. >> >> i would say just place it on my external dns. But it's an internal content >> filter that is asking for the record, so then shouldn't place it on the >> inside? >> >> any insight suggestions and flames welcome >> > Hi, > > Why not have internal clients use smtp auth on submission only, and bypass > spf (and other anti uce) tests? clamav is picking up from an old relay and I think it's lowering the score because of an spf check. 192.168.1.2 is my mail gateway internal interface. myfilter.mydomain.com] received a message from 192.168.1.2 that claimed an envelope sender address of foo.mo...@dealstodaycheap.info. However, the domain dealstodaycheap.info has declared using SPF that it does not send mail through 192.168.1.1. That is why the message was rejected. i don't want my internal filter to lower scores just because that relay doesn't have an spf record, and I do not want to call the relay local. i want everything scanned from there. I may also not be understanding What Spf record clamav is looking for. my relay or his relay or mydomain ? i best start with my domain. > If postfix (since its the MTA used in your post, youm likely are), use: > submission inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > -o > smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject > -o receive_override_options=no_milters > > But anyway, when I ran split views, I used spf on internal range using the > int IP, but used ~all in place of -all (which I use on externals). > > Cheers > Noel > thanks for the reply noel, i saw that option on a web site and i thought it was a typo ( ~ ) vs ( - ) what is the difference. -j On Aug 2, 2010, at 10:23 PM, Noel Butler wrote: > On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote: >> >> Greetings >> >> i have an internal dns server it resolvs all my queries from the inside. >> I have a mail system requesting an spf record. Should i add the same record >> on the inside as i do for the outside ? i don't want internal address space >> to mess with external. >> >> i would say just place it on my external dns. But it's an internal content >> filter that is asking for the record, so then shouldn't place it on the >> inside? >> >> any insight suggestions and flames welcome >> > Hi, > > Why not have internal clients use smtp auth on submission only, and bypass > spf (and other anti uce) tests? > If postfix (since its the MTA used in your post, youm likely are), use: > submission inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > -o > smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject > -o receive_override_options=no_milters > > But anyway, when I ran split views, I used spf on internal range using the > int IP, but used ~all in place of -all (which I use on externals). > > Cheers > Noel > > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on ANY query
Hi , I have data as follows a.rameshops5446.com. 86400 IN A 1.2.3.1 a.rameshops5446.com. 86400 IN MX 10 a.rameshops5446.com. I queried domain "a.rameshops5446.com" with type ANY against bind9.6 . Actual Result: Bind is returning above two records in answer section and also returning A record in additional section as follows. # dig @localhost a.rameshops5446.com. any ; <<>> DiG 9.6.1-P3 <<>> @localhost a.rameshops5446.com. any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33411 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;a.rameshops5446.com. IN ANY ;; ANSWER SECTION: a.rameshops5446.com.86400 IN MX 10 a.rameshops5446.com. a.rameshops5446.com.86400 IN A 1.2.3.1 ;; AUTHORITY SECTION: rameshops5446.com. 86400 IN NS udns2.ultradns.net. rameshops5446.com. 86400 IN NS udns1.ultradns.net. ;; ADDITIONAL SECTION: a.rameshops5446.com.86400 IN A 1.2.3.1 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 3 04:06:45 2010 ;; MSG SIZE rcvd: 137 Here my doubt is A record already returned in answer section why the same A record is returning in additional section. I know if MX pointed record have any A/ records will return in additional section. but in above case already the same A record returned in answer section. Is bind result correct? could you please clarify me. Thanks & Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on ANY query
> Here my doubt is A record already returned in answer section why the same A > record is returning in additional section. I know if MX pointed record have > any A/ records will return in additional section. but in above case > already the same A record returned in answer section. Is bind result > correct? could you please clarify me. It's "correct" in the sense that it isn't a protocol violation. But it's "incorrect" in the sense that duplicate data is inefficient, so maybe it's a bug that BIND did that. Send it to bind9-b...@isc.org, we'll look into it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
