HELP - Domain resolution failed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HELP - Domain resolution failed

Filho Arrais
Hello,

We are running bind 9.10.3-P4-Ubuntu, Ubuntu 16.04.2 LTS, we face a recurring problem, every 3 or 4 hours Bind does not resolve the icap-to.com.br domain.

After restarting the Bind service, resolves the host. Could someone give me a help, I could not find if the problem is in the settings.

The server in question is a public recursive dns. Below are the settings.

named.conf.options

options {
        directory "/var/cache/bind";
        version "XXXX";
        recursive-clients 14000;
        tcp-clients 3000;
        zone-statistics yes;
        listen-on port 53 { any; };
        listen-on-v6 port 53 { none; };
        allow-query     { any; };
        allow-query-cache { any; };
        allow-recursion  { any;};
        recursion yes;
        minimal-responses no;
        dnssec-enable no;
        dnssec-validation no;
        auth-nxdomain no;
        query-source address XXX.XX.XXX.XXX;
        max-cache-size 512M;
        clients-per-query 0;
        max-clients-per-query 0;
};

server 0.0.0.0/0 {
    edns no;
};


root@recursivo-a:~# dig icap-to.com.br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> icap-to.com.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32316
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;icap-to.com.br.                        IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 18 10:41:59 BRT 2017
;; MSG SIZE  rcvd: 43

root@recursivo-a:~# /etc/init.d/bind9 restart
[ ok ] Restarting bind9 (via systemctl): bind9.service.


root@recursivo-a:~# dig icap-to.com.br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> icap-to.com.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65065
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;icap-to.com.br.                        IN      A

;; ANSWER SECTION:
icap-to.com.br.         14400   IN      A       192.185.216.81

;; AUTHORITY SECTION:
icap-to.com.br.         86400   IN      NS      ns2.desenvolvesistemas.com.
icap-to.com.br.         86400   IN      NS      ns1.desenvolvesistemas.com.

;; Query time: 355 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 18 10:42:17 BRT 2017
;; MSG SIZE  rcvd: 117


-- 

Atenciosamente,

 

Filho Arrais  

Analista de Tecnologia da Informação

MBA em Gestão de Tecnologia da Informação



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HELP - Domain resolution failed

Mukund Sivaraman
> root@recursivo-a:~# dig icap-to.com.br
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> icap-to.com.br
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32316
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;icap-to.com.br.                        IN      A
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jul 18 10:41:59 BRT 2017
> ;; MSG SIZE  rcvd: 43

> root@recursivo-a:~# /etc/init.d/bind9 restart
> [ ok ] Restarting bind9 (via systemctl): bind9.service.
>
>
> root@recursivo-a:~# dig icap-to.com.br
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> icap-to.com.br
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65065
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;icap-to.com.br.                        IN      A
>
> ;; ANSWER SECTION:
> icap-to.com.br.         14400   IN      A       192.185.216.81

Notice that the TTL of the address record is 14400, which is 4 hours.

> ;; AUTHORITY SECTION:
> icap-to.com.br.         86400   IN      NS      ns2.desenvolvesistemas.com.
> icap-to.com.br.         86400   IN      NS      ns1.desenvolvesistemas.com.

The nameservers in the NS records in the zone do not exist, so when BIND
goes to refetch the answer after TTL expiry, it doesn't find the
nameservers and fails.

For the original resolution, the parent nameserver returns:

[muks@jurassic bind9]$ bin/dig @d.dns.br icap-to.com.br.

; <<>> DiG 9.12.0-pre-alpha <<>> @d.dns.br icap-to.com.br.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33669
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;icap-to.com.br. IN A

;; AUTHORITY SECTION:
icap-to.com.br. 86400 IN NS ns84.prodns.com.br.
icap-to.com.br. 86400 IN NS ns85.prodns.com.br.

;; Query time: 312 msec
;; SERVER: 200.219.154.10#53(200.219.154.10)
;; WHEN: Tue Jul 18 20:04:24 IST 2017
;; MSG SIZE  rcvd: 88

[muks@jurassic bind9]$

Tip: When you have failures with resolution, turn up named logging level
and check the logged messages.

                Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...