Re: Failing DNS Server Diagnostic Help Requested

On 13.01.22 14:29, Tim Daneliuk via bind-users wrote: Environment: Master/Slave with Split Horizon both on FreeBSD-STABLE Bind 9.16.24_1 Master out in a cloud server Slave on a physical server with a static IP on Comcast Business Problem: After years of s

Failing DNS Server Diagnostic Help Requested

Environment: Master/Slave with Split Horizon both on FreeBSD-STABLE Bind 9.16.24_1 Master out in a cloud server Slave on a physical server with a static IP on Comcast Business Problem: After years of stable behavior, Slave intermittently not resolving

Re: Diagnostic help part 2

-Original Message- From: Dave Sparro Date: Friday, October 3, 2014 at 1:04 PM To: "bind-users@lists.isc.org" Subject: Re: Diagnostic help part 2 >On 10/1/2014 3:45 PM, Tony Finch wrote: >> (Sorry for straying off topic. I have less experience of Cisco PIX/ASA >

Re: Diagnostic help part 2

On 10/1/2014 3:45 PM, Tony Finch wrote: (Sorry for straying off topic. I have less experience of Cisco PIX/ASA breaking DNS than of them breaking SMTP.) I can't resist either.. I specifically remember a PIX that bit me by "helpfully" changing the payload of an axfr so that the A records that tr

Re: Diagnostic help part 2

On 2014-10-02 01:03, Mark Andrews wrote: > TCP has always been required for DNS except in very special > circumstances. Go read RFC 1123. Go look at the definition of > SHOULD. Unless you really knew what you were doing TCP as always > been expected to be ON. Some people refuse to enable stuff

Re: Diagnostic help part 2

Thanks! That cleared up a number of problems. Now to tackle some of the others... On 10/1/14, 2:51 PM, John Anderson wrote: If you would be so kind as to run the nmap test again from your location and let >me know if you're seeing the correct - or at least *more* correct answers, I'd >apprec

Re: Diagnostic help part 2

In message <5D9044356DCF9341A7D1CDAE12FC601C2976D2A5@exch10-mb2.ccbill-hq.local >, John Anderson writes: > >If you would be so kind as to run the nmap test again from your location and > let >me know if you're seeing the correct - or at least *more* correct answe > rs, I'd >appreciate it. > > Bi

RE: Diagnostic help part 2

>If you would be so kind as to run the nmap test again from your location and >let >me know if you're seeing the correct - or at least *more* correct >answers, I'd >appreciate it. Bill, It looks good now. Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-01 12:47 MST Nmap scan report for www3.

Re: Diagnostic help part 2

Mike Hoskins (michoski) wrote: > > This isn't even specific to DNS...for example, there was a time when just > "turning on what sounds good" for cisco, netscreen and even checkpoint > would break other things like ESMTP. You mean Cisco have fixed the grossly damaging bugs in the PIX/ASA applicati

Re: Diagnostic help part 2

-Original Message- From: Doug Barton Date: Wednesday, October 1, 2014 at 2:07 PM To: "bind-users@lists.isc.org" Subject: Re: Diagnostic help part 2 >On 10/1/14 8:17 AM, Barry Margolin wrote: >> In article , >> Eli Heady wrote: >> >>> W

Re: Diagnostic help part 2

On 10/1/14 8:17 AM, Barry Margolin wrote: In article , Eli Heady wrote: With response sizes growing (dnssec, ipv6), answers are more likely to be too large for UDP. That's unlikely. That's why EDNS was created, so that these large answers wouldn't require TCP. ... and more than a decade

Re: Diagnostic help part 2

In article , Eli Heady wrote: > With response sizes growing (dnssec, ipv6), answers are more likely to be > too large for UDP. That's unlikely. That's why EDNS was created, so that these large answers wouldn't require TCP. -- Barry Margolin Arlington, MA _

RE: Diagnostic help part 2

On Sep 30, 2014 7:11 PM, "John Anderson" @ ccbill.com > wrote: > > >If named is running and doesn't respond on the external interface, it's > >possible that your listen-on {}; directive is set to only localhost. > > >TCP connections to 205.238.182.102 come back "Connection refused", so > >it's poss

Re: Diagnostic help part 2

On 9/30/14, 5:52 PM, Rich Goodson wrote: If named is running and doesn't respond on the external interface, it's possible that your listen-on {}; directive is set to only localhost. You may have hit on hit there. It was set to listen-on { 127.0.0.1; }; I just changed that to: listen-o

RE: Diagnostic help part 2

>If named is running and doesn't respond on the external interface, it's >possible that your listen-on {}; directive is set to only localhost. >TCP connections to 205.238.182.102 come back "Connection refused", so >it's possible that BIND just isn't listening on the interface or perhaps >you're

Re: Diagnostic help part 2

If named is running and doesn’t respond on the external interface, it’s possible that your listen-on {}; directive is set to only localhost. TCP connections to 205.238.182.102 come back “Connection refused”, so it’s possible that BIND just isn’t listening on the interface or perhaps you’re filt

Re: Diagnostic help part 2

On 9/30/14, 4:15 PM, Charles Swiger wrote: Hi-- On Sep 30, 2014, at 1:59 PM, Bill Christensen mailto:billc_li...@greenbuilder.com>> wrote: Fair enough. Africabound.org SustainableSources.com The se

Re: Diagnostic help part 2

Hi-- On Sep 30, 2014, at 1:59 PM, Bill Christensen wrote: > Fair enough. > > Africabound.org > SustainableSources.com > > The server that's giving problems is ns1.sustainablesources.com > 205.238.182.102 Your 102 box doesn't seem responding to 53/udp or 53/tcp from the outside: http://w

Re: Diagnostic help part 2

Fair enough. Africabound.org SustainableSources.com The server that's giving problems is ns1.sustainablesources.com 205.238.182.102 (yes, I'm aware of intermittent problems with ns3 as well. That one's not under my control,

Re: Diagnostic help part 2

On 9/30/14 12:18 PM, Bill Christensen wrote: Ok, since I theoretically have the allow-query correct I need to move on to what else may be wrong. When I test with http://www.intodns.com/ or other online tools, I'm getting " ERROR: One or more of your nameservers did not respond" (the IP is the s

Re: Diagnostic help part 2

Ok, since I theoretically have the allow-query correct I need to move on to what else may be wrong. When I test with http://www.intodns.com/ or other online tools, I'm getting " ERROR: One or more of your nameservers did not respond" (the IP is the server in question) BIND 9.10.1 *appears

Re: Diagnostic help

On 29.09.14 20:58, Ben Croswell wrote: The default for allow query is local host local nets. Basically the server itself and directly connected networks no, that is the default for allow_recursion (and allow_query_cache). the default for allow_query is all. On Sep 29, 2014 8:03 PM, "Bill Chr

Re: Diagnostic help

So if my server is authoritative for MyDomain.com, should Joe Sixpak be able to resolve it via whatever DNS he's using, as mine is currently set up? Do I need to change it to |allow-query { any; };| in order to allow that to happen? Will my restriction on recursion keep the riffraff t

Re: Diagnostic help

The default for allow query is local host local nets. Basically the server itself and directly connected networks On Sep 29, 2014 8:03 PM, "Bill Christensen" wrote: > Hi folks, > > Something got sideways on one of my DNS servers, and I would appreciate > some help in figuring out what's going o

Diagnostic help

Hi folks, Something got sideways on one of my DNS servers, and I would appreciate some help in figuring out what's going on. I'm running BIND 9.10.1. This server is authoritative master for a number of domains. First off, I may have the allow-query set incorrectly. Currently I have: acl