DNS resolution problem

Kevin Oberman rkoberman at gmail.com
Sun Dec 14 01:44:01 UTC 2014 

On Sat, Dec 13, 2014 at 4:26 AM, Marcelo Gondim <gondim at bsdinfo.com.br>
wrote:

> Dear,
>
> I'm having trouble resolving domain name freebsd.org. The portsnap server
> works correctly but the pkg audit -F does not work and can not even access
> the site according to the following tests:
>
> # host ec2-sa-east-1.portsnap.freebsd.org
> ec2-sa-east-1.portsnap.freebsd.org has address 177.71.188.240
>
> # host vuxml.freebsd.org
> Host vuxml.freebsd.org not found: 3(NXDOMAIN)
>
> # host -a freebsd.org
> Trying "freebsd.org"
> Trying "freebsd.org.intnet.com.br"
> Host freebsd.org not found: 3(NXDOMAIN)
> Received 86 bytes from ::1#53 in 0 ms
>
> # host www.freebsd.org
> ;; connection timed out; no servers could be reached
>
> Only the first address I'm having name resolution (ec2-sa-east-1.portsnap.
> freebsd.org).
>
> My block IP: 186.193.48.0/20
>
> One could check for any restrictions on our IP block?
>
> I think a bit of DNS debugging is in order.

I could resolve all of the nodes you listed, but there are some potential
issues I see. First, when looking up  hostname with host(1), always
terminate the name:
> host -a freebsd.org.
Trying "freebsd.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24171
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;freebsd.org.            IN    TYPE255

;; ANSWER SECTION:
freebsd.org.        534    IN    AAAA    2001:1900:2254:206a::50:0
freebsd.org.        534    IN    MX    10 mx1.freebsd.org.
freebsd.org.        534    IN    A    8.8.178.110

But "ANY" queries are fuzzy things at best as the first resolver you hit
will just return whatever is cached and not try getting an authoritative
response.

www.freebsd.org and vuxml.freebsd.org are CNAME entries pointing to the
same place, 8.8.178.110. This is in FreeBSD's own address space from Yahoo
nd is probably in the mail FreeBSD cluster. I was a bit surprised to find
that is is an Amazon AWS address, so the portsnap files are actually coming
from a totally different place.

DNS is provided by ISC-SNS. 72.52.71.1, 38.103.2.1 and 63.243.194.1. Try
pinging these. Since BIND, the second oldest and most popular DNS server is
written and supported by ISA, I would think that it is well run. Try
pinging and tracing to these addresses. All of them are in very dispersed
locations on different provider backbones. (Cogent, Hurricane Electric, and
ISC, itself. You might try directing queries to each system to see if one
fails when other succeed. Use "dig @servr-addr host".
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com

More information about the freebsd-net mailing list