Query CNAME failed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Query CNAME failed

Bind-Users forum mailing list
Hi Bind Users,

Currently drained my brain troubleshooting where could be the cause of my issue on one of our Authoritative DNS server.
When querying a CNAME directly to the server, where a CNAME is pointed to an external domain, results failed with timeout error and no server could be reached.

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> book.cebupacificair.com @dns1.globenet.com.ph
;; global options: +cmd
;; connection timed out; no servers could be reached


Server logs produce 3 query log then show a query failed (timed out);

client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
client @0x7fd9a4484080 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
client @0x7fd9a4481cb0 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query failed (timed out) for book.cebupacificair.com/IN/A at query.c:6786

But when i send a query with +norecurse option, results is successful.

dig +norecurse book.cebupacificair.com @dns1.globenet.com.ph

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +norecurse book.cebupacificair.com @dns1.globenet.com.ph
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19755
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;book.cebupacificair.com.       IN      A

;; ANSWER SECTION:
book.cebupacificair.com. 1200   IN      CNAME   book.cebupacair.cust.lldns.net.

;; AUTHORITY SECTION:
lldns.net.              171335  IN      NS      ns1.lldns.net.
lldns.net.              171335  IN      NS      ns2.lldns.net.

;; ADDITIONAL SECTION:
ns1.lldns.net.          149880  IN      A       208.111.184.11
ns2.lldns.net.          93416   IN      A       208.111.184.12
ns1.lldns.net.          93416   IN      AAAA    2607:f4e8:ac:1::11
ns2.lldns.net.          93416   IN      AAAA    2607:f4e8:ac:1::12

;; Query time: 1 msec
;; SERVER: 203.177.255.10#53(203.177.255.10)
;; WHEN: Wed Jul 03 03:36:21 EDT 2019
;; MSG SIZE  rcvd: 229


This is the named.conf options;

options {
        directory "/var/namedb";
        version "Query Not Allowed.";
        allow-recursion { globenet; };
        recursive-clients 1000000;
        allow-query-cache { globenet; };
        allow-query { any; };
        tcp-clients 5000;

        blackhole { bogusnet; };

        pid-file "/var/local/bind/var/run/named.pid";
        zone-statistics yes;
        statistics-file "/var/namedb/named.stats";
};


Bind version is 9.14.2

The "globenet" group are the list of IPs we allowed for recursion. And this issue happens only on the CNAME record with external domain.

Thank you in advance.

Regards,
Wil Sarmiento



This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Query CNAME failed

Mark Andrews
Try just diagnosing why the lookup of book.cebupacair.cust.lldns.net and/or cebupacair-dd.lldns.net is failing which are the target in the CNAME chain.  You know the lookup of book.cebupacificair.com returns a CNAME record so the next step to a lookup of book.cebupacificair.com and book.cebupacificair.com/CNAME.

; <<>> DiG 9.15.1 <<>> book.cebupacair.cust.lldns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5908
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cbdd8bcfcc962e6a9e1b6a5e5d1c63554cdb8ed4c7c121da (good)
;; QUESTION SECTION:
;book.cebupacair.cust.lldns.net. IN A

;; ANSWER SECTION:
book.cebupacair.cust.lldns.net. 300 IN CNAME cebupacair-dd.lldns.net.
cebupacair-dd.lldns.net. 60 IN A 68.142.70.27
cebupacair-dd.lldns.net. 60 IN A 68.142.68.27

Mark

> On 3 Jul 2019, at 5:48 pm, Wilfred Sarmiento via bind-users <[hidden email]> wrote:
>
> Hi Bind Users,
>
> Currently drained my brain troubleshooting where could be the cause of my issue on one of our Authoritative DNS server.
> When querying a CNAME directly to the server, where a CNAME is pointed to an external domain, results failed with timeout error and no server could be reached.
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> book.cebupacificair.com @dns1.globenet.com.ph
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> Server logs produce 3 query log then show a query failed (timed out);
>
> client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9a4484080 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9a4481cb0 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query failed (timed out) for book.cebupacificair.com/IN/A at query.c:6786
>
> But when i send a query with +norecurse option, results is successful.
>
> dig +norecurse book.cebupacificair.com @dns1.globenet.com.ph
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +norecurse book.cebupacificair.com @dns1.globenet.com.ph
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19755
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;book.cebupacificair.com.       IN      A
>
> ;; ANSWER SECTION:
> book.cebupacificair.com. 1200   IN      CNAME   book.cebupacair.cust.lldns.net.
>
> ;; AUTHORITY SECTION:
> lldns.net.              171335  IN      NS      ns1.lldns.net.
> lldns.net.              171335  IN      NS      ns2.lldns.net.
>
> ;; ADDITIONAL SECTION:
> ns1.lldns.net.          149880  IN      A       208.111.184.11
> ns2.lldns.net.          93416   IN      A       208.111.184.12
> ns1.lldns.net.          93416   IN      AAAA    2607:f4e8:ac:1::11
> ns2.lldns.net.          93416   IN      AAAA    2607:f4e8:ac:1::12
>
> ;; Query time: 1 msec
> ;; SERVER: 203.177.255.10#53(203.177.255.10)
> ;; WHEN: Wed Jul 03 03:36:21 EDT 2019
> ;; MSG SIZE  rcvd: 229
>
> This is the named.conf options;
>
> options {
>         directory "/var/namedb";
>         version "Query Not Allowed.";
>         allow-recursion { globenet; };
>         recursive-clients 1000000;
>         allow-query-cache { globenet; };
>         allow-query { any; };
>         tcp-clients 5000;
>
>         blackhole { bogusnet; };
>
>         pid-file "/var/local/bind/var/run/named.pid";
>         zone-statistics yes;
>         statistics-file "/var/namedb/named.stats";
> };
>
> Bind version is 9.14.2
>
> The "globenet" group are the list of IPs we allowed for recursion. And this issue happens only on the CNAME record with external domain.
>
> Thank you in advance.
>
> Regards,
> Wil Sarmiento
>
>
>
> This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Query CNAME failed

Bind-Users forum mailing list
Hi Mark,

It also happen to all domain record with a CNAME on external domain. It doesn't only happen in cebupacificair.com domain. 
Also, i notice the issue happens after an hour of server reboot. From the 1st hour after reboot, the issue didn't happen. So i am thinking this might be a session limit?

Wil 


On Wed, Jul 3, 2019 at 4:19 PM Mark Andrews <[hidden email]> wrote:
Try just diagnosing why the lookup of book.cebupacair.cust.lldns.net and/or cebupacair-dd.lldns.net is failing which are the target in the CNAME chain.  You know the lookup of book.cebupacificair.com returns a CNAME record so the next step to a lookup of book.cebupacificair.com and book.cebupacificair.com/CNAME.

; <<>> DiG 9.15.1 <<>> book.cebupacair.cust.lldns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5908
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cbdd8bcfcc962e6a9e1b6a5e5d1c63554cdb8ed4c7c121da (good)
;; QUESTION SECTION:
;book.cebupacair.cust.lldns.net.        IN      A

;; ANSWER SECTION:
book.cebupacair.cust.lldns.net. 300 IN  CNAME   cebupacair-dd.lldns.net.
cebupacair-dd.lldns.net. 60     IN      A       68.142.70.27
cebupacair-dd.lldns.net. 60     IN      A       68.142.68.27

Mark

> On 3 Jul 2019, at 5:48 pm, Wilfred Sarmiento via bind-users <[hidden email]> wrote:
>
> Hi Bind Users,
>
> Currently drained my brain troubleshooting where could be the cause of my issue on one of our Authoritative DNS server.
> When querying a CNAME directly to the server, where a CNAME is pointed to an external domain, results failed with timeout error and no server could be reached.
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> book.cebupacificair.com @dns1.globenet.com.ph
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> Server logs produce 3 query log then show a query failed (timed out);
>
> client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9a4484080 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9a4481cb0 x.x.x.x#51579 (book.cebupacificair.com): query: book.cebupacificair.com IN A +E(0) (203.177.255.10)
> client @0x7fd9ac0908d0 x.x.x.x#51579 (book.cebupacificair.com): query failed (timed out) for book.cebupacificair.com/IN/A at query.c:6786
>
> But when i send a query with +norecurse option, results is successful.
>
> dig +norecurse book.cebupacificair.com @dns1.globenet.com.ph
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +norecurse book.cebupacificair.com @dns1.globenet.com.ph
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19755
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;book.cebupacificair.com.       IN      A
>
> ;; ANSWER SECTION:
> book.cebupacificair.com. 1200   IN      CNAME   book.cebupacair.cust.lldns.net.
>
> ;; AUTHORITY SECTION:
> lldns.net.              171335  IN      NS      ns1.lldns.net.
> lldns.net.              171335  IN      NS      ns2.lldns.net.
>
> ;; ADDITIONAL SECTION:
> ns1.lldns.net.          149880  IN      A       208.111.184.11
> ns2.lldns.net.          93416   IN      A       208.111.184.12
> ns1.lldns.net.          93416   IN      AAAA    2607:f4e8:ac:1::11
> ns2.lldns.net.          93416   IN      AAAA    2607:f4e8:ac:1::12
>
> ;; Query time: 1 msec
> ;; SERVER: 203.177.255.10#53(203.177.255.10)
> ;; WHEN: Wed Jul 03 03:36:21 EDT 2019
> ;; MSG SIZE  rcvd: 229
>
> This is the named.conf options;
>
> options {
>         directory "/var/namedb";
>         version "Query Not Allowed.";
>         allow-recursion { globenet; };
>         recursive-clients 1000000;
>         allow-query-cache { globenet; };
>         allow-query { any; };
>         tcp-clients 5000;
>
>         blackhole { bogusnet; };
>
>         pid-file "/var/local/bind/var/run/named.pid";
>         zone-statistics yes;
>         statistics-file "/var/namedb/named.stats";
> };
>
> Bind version is 9.14.2
>
> The "globenet" group are the list of IPs we allowed for recursion. And this issue happens only on the CNAME record with external domain.
>
> Thank you in advance.
>
> Regards,
> Wil Sarmiento
>
>
>
> This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]


This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Query CNAME failed

Bind-Users forum mailing list
Hi Mark,

Another findings i got in the server is that it intermittently cannot resolve an external domain.
Any more idea to what i should be checking here?

Thank you, 
Wil

This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users