Some Server not Resolving certain address
Hi, I need some information / suggestion regarding problem I’m having in my DNS Servers, We have 10 DNS servers, which all using BIND, all the server acting as recursive (caching) DNS server only, no authoritative records at all, The problem I’m having is some of our customer cannot resolve certain domain name, (e.g. www.positivebrain.asia and www.virtucamp.com), 4 out of 10 servers can resolve the domain successfully, but the remaining is not success. All server virtually the same configuration, Any idea what seem to be the culprit? Is it the root dns populate issue or something else? Is there a way to force DNS server to update from root? Thank You for any support given. Best Regards, Arie Lendra Putra 陈维文 Description: http://www.chinese-tools.com/jdd/public/callitext/2027048691360925224.png -- Together is a beautiful word, Coming together is the Beginning, Keeping together is Progress Thinking together is Unity, Working together is Success <>___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
On 08.04.13 17:03, Arie Lendra Putra wrote: I need some information / suggestion regarding problem I’m having in my DNS Servers, We have 10 DNS servers, which all using BIND, all the server acting as recursive (caching) DNS server only, no authoritative records at all, The problem I’m having is some of our customer cannot resolve certain domain name, (e.g. www.positivebrain.asia and www.virtucamp.com), 4 out of 10 servers can resolve the domain successfully, but the remaining is not success. All server virtually the same configuration, Any idea what seem to be the culprit? Is it the root dns populate issue or something else? Is there a way to force DNS server to update from root? dopmain positivebrain.asia has invalid NS records. maybe a web DNS checker could provide correct answer, although you must try more of them... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
Some of my server reported SERVFAIL, i try some reference on http://www.whatsmydns.net/ and some result fail indeed, but why some of my server still resolve ok? or my other server which resolve the domain actually "late" to see the invalid record? Best Regards, Arie Lendra Putra 陈维文 -- Together is a beautiful word, Coming together is the Beginning, Keeping together is Progress Thinking together is Unity, Working together is Success - Original Message - From: "Matus UHLAR - fantomas" To: bind-users@lists.isc.org Sent: Monday, April 8, 2013 5:28:14 PM Subject: Re: Some Server not Resolving certain address On 08.04.13 17:03, Arie Lendra Putra wrote: >I need some information / suggestion regarding problem I’m having in my >DNS Servers, > >We have 10 DNS servers, which all using BIND, all the server acting as >recursive (caching) DNS server only, no authoritative records at all, > >The problem I’m having is some of our customer cannot resolve certain >domain name, (e.g. www.positivebrain.asia and www.virtucamp.com), 4 out of >10 servers can resolve the domain successfully, but the remaining is not >success. All server virtually the same configuration, > >Any idea what seem to be the culprit? Is it the root dns populate issue or >something else? Is there a way to force DNS server to update from root? dopmain positivebrain.asia has invalid NS records. maybe a web DNS checker could provide correct answer, although you must try more of them... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
On 08.04.13 17:35, Arie L. Putra wrote: Some of my server reported SERVFAIL, i try some reference on http://www.whatsmydns.net/ and some result fail indeed, but why some of my server still resolve ok? or my other server which resolve the domain actually "late" to see the invalid record? because while delegation NS records are OK, the NS records in domain itself are broken. With the first lookup you may get the answer from the parent servers, but later lookups will use broken NS records and thus they will fail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
Warren Kumari wrote on 04/05/2013 06:48:08 PM: > > And then there's theses folks: > > > > http://no-www.org/ > > > > Oh wow! > > Gee, thanks for that? And it's always fun when you tell someone to go to a URL that doesn't include the W's and they want to type them in anyways, ie. chat.example.com. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , wbr...@e1b.org wrote: > > >Incidentally, we have just been asked for an A record for cam.ac.uk to > > >duplicate www.cam.ac.uk because, and I quote, "all the publicity > material > > >sent out by the nominator [for an award for the web site] gave the URL > > >as http://cam.ac.uk/ and this has been retweeted around". > > > > Yes, sadly I've lost that technical battle with marketing several places > > now. > > And then there's theses folks: > > http://no-www.org/ Is co-opting high-level name space for a single protocol a modern-day landgrab? Discuss. Points will be deducted for uncritical mentions of SRV records. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Dave Warren wrote: > On 2013-04-05 12:18, Sam Wilson wrote: > > We're currently prevaricating over putting in an A record for ed.ac.uk. > > Whilst my colleagues who manage active directory assure me that having > > an A record there - pointing at the content-managed web server that has > > difficulty handling arbitrary URLs - won't break anything I'm not going > > to try it except under very controlled conditions and after I've spoken > > to a lot of other people who do it already. > > Is ed.ac.uk your Active Directory root as well? If so, my experience is > that pointing it at anything but domain controllers will eventually lead > you to issues. It is. That's the sort of response I was hoping for - thank you. > It's not to say that this totally forbidden, but there is (was?) > Microsoft best practices documents suggesting avoiding this > configuration entirely when possible, although there were ways to > mitigate most of the negative side effects. If you know of a reference that would be helpful. > Obviously if you can run a split DNS environment this is less of a factor. We don't and we're trying not to have to. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Phil Mayers wrote: > Sam Wilson wrote: > > > [adding an A record for ed.ac.uk.] > > > > If your AD realm is also called ed.ac.uk then adding an A record will > definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
> From: "Arie L. Putra" > Some of my server reported SERVFAIL, > > i try some reference on http://www.whatsmydns.net/ and some result > fail indeed, but why some of my server still resolve ok? > or my other server which resolve the domain actually "late" to see > the invalid record? In your first message, you said "All server virtually the same configuration." What are the differences? What do the servers that do resolve have in common that is missing on the others? What do the ones that fail have in common? Could it be an issue with IPv6? Are they all running the same version of bind? Differences in named.conf? Could there be differing firewall rules for the different servers? Try running dig from each server. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , Doug Barton wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: > > | It is funny you should mention that... my questions about using views > | to create a situation where one single record is different happens to > | be exactly for this reason. The Active Directory administrators were > | saying that not having umdnj.edu point to an Active Directory server > | was bothering the AD servers in some fashion. The solution we're going > | to test is telling the AD servers that umdnj.edu are them, but telling > | everyone else on the planet that it's www. We think this will do it, > | but haven't tested yet. > > Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. > AD DNS is only really happy when it runs the whole show for its "home" > domain. It's possible to do otherwise, but really painful and fragile. We've been running our main domain with the underscore domains delegated to AD for well over a decade and it's been neither painful nor fragile, at least no more painful than running AD any other way as far as I can tell. We already had a well partitioned and, in some cases, delegated DNS structure before Windows 2000/Active Directory came on the scene, but we needed to have a single AD thingy (forest? domain? I can't remember the correct terminology). Replicating all of that under a new functional domain didn't seem like a sensible option. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article , wbr...@e1b.org wrote: > Warren Kumari wrote on 04/05/2013 06:48:08 PM: > > > > And then there's theses folks: > > > > > > http://no-www.org/ > > > > > > > Oh wow! > > > > Gee, thanks for that? > > And it's always fun when you tell someone to go to a URL that doesn't > include the W's and they want to type them in anyways, ie. > chat.example.com. Oh yes. Sigh... Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
On 8 Apr 2013, at 14:25, wbr...@e1b.org wrote: > Try running dig from each server. And be sure to specify the server address on the dig command line; otherwise whatever test you intend may be diverted by what is specified in /etc/resolv.conf. If you use dig @127.0.0.1 ... you can be sure that the server on which your shell session is running is the one to which dig sends the query. If this is not what you need, use the address of the server's network interface. ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 08/04/13 14:46, Sam Wilson wrote: In article , Phil Mayers wrote: Sam Wilson wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Off the top of my head the two most recent issues we've had. 1. If you don't have a domain controller A record at your AD realm name, you'll experience sporadic timeouts and slowness if you ever want to roll out DFS, particularly if your domain members include non-Microsoft clients such as Macs 2. If you put something else at that place, you'll see SMB connection attempts and if they fail but port 80 is open, you'll see Windows trying to do WebDAV requests (!) to it. Both these and other issues make me wish we'd chosen a sub-domain for our AD realm when we migrated from NT4. But we had no way of knowing at the time :o( ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote: In article , Phil Mayers wrote: >Sam Wilson wrote: > > >[adding an A record for ed.ac.uk.] > > > >If your AD realm is also called ed.ac.uk then adding an A record will >definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction.:-) Sam AD clients, if they do not know about SRV records for finding the LDAP servers, will use the "A" records for the AD domain to locate the Domain Controllers. Where I used to work we did not segregate AD, so internally, example.com pointed to the Domain Controllers. Externally, example.com had no IP address because the DCs were not accessible from the external Internet. When we had the DC addresses externally, then AD clients would see the addresses, try to authenticate to the AD, experience timeouts, and get frustrated. Without an external address, AD clients do not try to access the DCs. The drawback is that we can not have example.com externally have the same address as www.example.com to aid browser users. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2013 09:47 AM, Sam Wilson wrote: > In article , > Phil Mayers wrote: > >> Sam Wilson wrote: >> >>> [adding an A record for ed.ac.uk.] >>> >> >> If your AD realm is also called ed.ac.uk then adding an A record >> will definitely affect things. > > Which is exactly the opposite of what our AD guys said, but not > with such great conviction. :-) Someone can correct me if I'm wrong, but I think they'd be right if and only if the webserver they're adding the A record for happens to also be the AD server. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFjBY8ACgkQmb+gadEcsb45vgCgxgNUHa2m62zu1XopcZhoRcTu l20AoLW0pupflGi5bY0U4EHFBr7Vzw9j =9ecc -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2013 10:16 AM, Phil Mayers wrote: > On 08/04/13 14:46, Sam Wilson wrote: >> In article >> , Phil >> Mayers wrote: >> >>> Sam Wilson wrote: >>> [adding an A record for ed.ac.uk.] >>> >>> If your AD realm is also called ed.ac.uk then adding an A >>> record will definitely affect things. >> >> Which is exactly the opposite of what our AD guys said, but not >> with such great conviction. :-) > > Off the top of my head the two most recent issues we've had. > > 1. If you don't have a domain controller A record at your AD realm > name, you'll experience sporadic timeouts and slowness if you ever > want to roll out DFS, particularly if your domain members include > non-Microsoft clients such as Macs > > 2. If you put something else at that place, you'll see SMB > connection attempts and if they fail but port 80 is open, you'll > see Windows trying to do WebDAV requests (!) to it. > > Both these and other issues make me wish we'd chosen a sub-domain > for our AD realm when we migrated from NT4. But we had no way of > knowing at the time :o( It would seem to me there is some other way around this, either by redirecting traffic to the AD servers or some careful combination of local host names or something else. In our case, the domain itself has barely any activity (and no client activity) and we can just lie to the AD servers and use them as the bare domain name. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFjCAEACgkQmb+gadEcsb7fjQCeIvlEeStO/pAT72UNJGbTuZ32 UxEAn3issXjvxOz+JXPZymbLeGhPdwKA =W3i9 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In message <5162e2a1.7000...@att.net>, "Barry S. Finkel" writes: > On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote: > > In article , Phil > > Mayers wrote: > >> >Sam Wilson wrote: > >> > > >>> > >[adding an A record for ed.ac.uk.] > >>> > > > >> > > >> >If your AD realm is also called ed.ac.uk then adding an A record will > >> >definitely affect things. > > Which is exactly the opposite of what our AD guys said, but not with > > such great conviction.:-) > > > > Sam > > AD clients, if they do not know about SRV records for finding the > LDAP servers, will use the "A" records for the AD domain to locate > the Domain Controllers. Where I used to work we did not segregate > AD, so internally, > > example.com > > pointed to the Domain Controllers. Externally, > > example.com > > had no IP address because the DCs were not accessible from the > external Internet. When we had the DC addresses externally, then > AD clients would see the addresses, try to authenticate to the AD, > experience timeouts, and get frustrated. Do the AD clients to the correct thing with the "no service offered" SRV record (e.g. "SRV 0 0 0 .")? It is designed to stop fallback to A/ records when the service is explicitly not there. RFC 2782 A Target of "." means that the service is decidedly not available at this domain. If they do there should be no confusion with the use of address records between AD and HTTP/HTTPS. > Without an external > address, AD clients do not try to access the DCs. The drawback > is that we can not have > > example.com > > externally have the same address as > > www.example.com > > to aid browser users. > --Barry Finkel > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 2013-04-08 11:10, Novosielski, Ryan wrote: It would seem to me there is some other way around this, either by redirecting traffic to the AD servers or some careful combination of local host names or something else. In our case, the domain itself has barely any activity (and no client activity) and we can just lie to the AD servers and use them as the bare domain name. It's just just the servers though, it's any client that needs to access Active Directory resources that might potentially hit the web server when it's looking for your AD environment. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 04/08/2013 06:54 AM, Sam Wilson wrote: In article , Doug Barton wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory administrators were | saying that not having umdnj.edu point to an Active Directory server | was bothering the AD servers in some fashion. The solution we're going | to test is telling the AD servers that umdnj.edu are them, but telling | everyone else on the planet that it's www. We think this will do it, | but haven't tested yet. Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. AD DNS is only really happy when it runs the whole show for its "home" domain. It's possible to do otherwise, but really painful and fragile. We've been running our main domain with the underscore domains delegated to AD for well over a decade and it's been neither painful nor fragile, You apparently missed the context of the response. :) I didn't say "impossible," and I've set it up the way you describe in the past. But it assumes both an initial and ongoing level of clue that is not always available. Whereas, "put all the AD stuff in its own subdomain" is both pain-less, and has other advantages. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 04/08/2013 06:42 AM, Sam Wilson wrote: In article , wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, "all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around". Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Is co-opting high-level name space for a single protocol a modern-day landgrab? Is holding on to the antiquated notion that every protocol needs a unique hostname charmingly anachronistic, or just plain obstructionist? (See what I did there?) For bonus points, list the number of services running on your typical server configuration, and then tell us how many of them have their own hostnames. Start with dns, ssh, and ntp. Then describe how you differentiate your SSL web service from your plain text version. Bonus points if you're running ipp, nfs, or kerberos with their own unique hostnames on the same system. The point being that the world moved on, and putting websites on hostnames that don't start with www. is the common case now. Can we save our energy for something more productive? Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
