DNS resolution problem
Marcelo Gondim
gondim at bsdinfo.com.br
Tue Dec 16 12:47:49 UTC 2014
On 16/12/2014 02:25, Kevin Oberman wrote:
> On Mon, Dec 15, 2014 at 10:02 AM, Marcelo Gondim
> <gondim at bsdinfo.com.br <mailto:gondim at bsdinfo.com.br>> wrote:
>
> Hi Kevin,
>
> On 13/12/2014 23:44, Kevin Oberman wrote:
>
> On Sat, Dec 13, 2014 at 4:26 AM, Marcelo Gondim
> <gondim at bsdinfo.com.br <mailto:gondim at bsdinfo.com.br>>
> wrote:
>
> Dear,
>
> I'm having trouble resolving domain name freebsd.org
> <http://freebsd.org>. The portsnap server
> works correctly but the pkg audit -F does not work and can
> not even access
> the site according to the following tests:
>
> # host ec2-sa-east-1.portsnap.freebsd.org
> <http://ec2-sa-east-1.portsnap.freebsd.org>
> ec2-sa-east-1.portsnap.freebsd.org
> <http://ec2-sa-east-1.portsnap.freebsd.org> has address
> 177.71.188.240
>
> # host vuxml.freebsd.org <http://vuxml.freebsd.org>
> Host vuxml.freebsd.org <http://vuxml.freebsd.org> not
> found: 3(NXDOMAIN)
>
> # host -a freebsd.org <http://freebsd.org>
> Trying "freebsd.org <http://freebsd.org>"
> Trying "freebsd.org.intnet.com.br
> <http://freebsd.org.intnet.com.br>"
> Host freebsd.org <http://freebsd.org> not found: 3(NXDOMAIN)
> Received 86 bytes from ::1#53 in 0 ms
>
> # host www.freebsd.org <http://www.freebsd.org>
> ;; connection timed out; no servers could be reached
>
> Only the first address I'm having name resolution
> (ec2-sa-east-1.portsnap.
> freebsd.org <http://freebsd.org>).
>
> My block IP: 186.193.48.0/20 <http://186.193.48.0/20>
>
> One could check for any restrictions on our IP block?
>
> I think a bit of DNS debugging is in order.
>
> I could resolve all of the nodes you listed, but there are
> some potential
> issues I see. First, when looking up hostname with host(1),
> always
> terminate the name:
>
> host -a freebsd.org <http://freebsd.org>.
>
> Trying "freebsd.org <http://freebsd.org>"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24171
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;freebsd.org <http://freebsd.org>. IN TYPE255
>
> ;; ANSWER SECTION:
> freebsd.org <http://freebsd.org>. 534 IN AAAA
> 2001:1900:2254:206a::50:0
> freebsd.org <http://freebsd.org>. 534 IN MX 10
> mx1.freebsd.org <http://mx1.freebsd.org>.
> freebsd.org <http://freebsd.org>. 534 IN A
> 8.8.178.110
>
> But "ANY" queries are fuzzy things at best as the first
> resolver you hit
> will just return whatever is cached and not try getting an
> authoritative
> response.
>
> www.freebsd.org <http://www.freebsd.org> and vuxml.freebsd.org
> <http://vuxml.freebsd.org> are CNAME entries pointing to the
> same place, 8.8.178.110. This is in FreeBSD's own address
> space from Yahoo
> nd is probably in the mail FreeBSD cluster. I was a bit
> surprised to find
> that is is an Amazon AWS address, so the portsnap files are
> actually coming
> from a totally different place.
>
> DNS is provided by ISC-SNS. 72.52.71.1, 38.103.2.1 and
> 63.243.194.1. Try
> pinging these. Since BIND, the second oldest and most popular
> DNS server is
> written and supported by ISA, I would think that it is well
> run. Try
> pinging and tracing to these addresses. All of them are in
> very dispersed
> locations on different provider backbones. (Cogent, Hurricane
> Electric, and
> ISC, itself. You might try directing queries to each system to
> see if one
> fails when other succeed. Use "dig @servr-addr host".
>
> Other tests:
>
> # ping -c 5 NS1.ISC-SNS.NET <http://NS1.ISC-SNS.NET>
> PING ns1.isc-sns.net <http://ns1.isc-sns.net> (72.52.71.1): 56
> data bytes
> 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=0 ttl=56
> time=144.327 ms
> 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=1 ttl=56
> time=145.445 ms
> 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=2 ttl=56
> time=144.999 ms
> 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=3 ttl=56
> time=146.775 ms
> 64 bytes from 72.52.71.1 <http://72.52.71.1>: icmp_seq=4 ttl=56
> time=145.207 ms
>
> --- ns1.isc-sns.net <http://ns1.isc-sns.net> ping statistics ---
> 5 packets transmitted, 5 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 144.327/145.351/146.775/0.804 ms
>
> # ping -c 5 NS2.ISC-SNS.COM <http://NS2.ISC-SNS.COM>
> PING ns2.isc-sns.com <http://ns2.isc-sns.com> (38.103.2.1): 56
> data bytes
> 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=0 ttl=54
> time=133.839 ms
> 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=1 ttl=54
> time=133.831 ms
> 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=2 ttl=54
> time=133.972 ms
> 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=3 ttl=54
> time=133.957 ms
> 64 bytes from 38.103.2.1 <http://38.103.2.1>: icmp_seq=4 ttl=54
> time=133.851 ms
>
> --- ns2.isc-sns.com <http://ns2.isc-sns.com> ping statistics ---
> 5 packets transmitted, 5 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 133.831/133.890/133.972/0.061 ms
>
> # ping -c 5 NS3.ISC-SNS.INFO <http://NS3.ISC-SNS.INFO>
> PING ns3.isc-sns.info <http://ns3.isc-sns.info> (63.243.194.1): 56
> data bytes
> 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=0
> ttl=59 time=185.755 ms
> 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=1
> ttl=59 time=185.790 ms
> 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=2
> ttl=59 time=185.866 ms
> 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=3
> ttl=59 time=185.931 ms
> 64 bytes from 63.243.194.1 <http://63.243.194.1>: icmp_seq=4
> ttl=59 time=185.988 ms
>
> --- ns3.isc-sns.info <http://ns3.isc-sns.info> ping statistics ---
> 5 packets transmitted, 5 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 185.755/185.866/185.988/0.086 ms
>
> # host -a freebsd.org <http://freebsd.org> 72.52.71.1
> Trying "freebsd.org <http://freebsd.org>"
> ;; Truncated, retrying in TCP mode.
> Using domain server:
> Name: 72.52.71.1
> Address: 72.52.71.1#53
> Aliases:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15306
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 7
>
> ;; QUESTION SECTION:
> ;freebsd.org <http://freebsd.org>. IN TYPE255
>
> ;; ANSWER SECTION:
> freebsd.org <http://freebsd.org>. 3600 IN SOA
> ns0.freebsd.org <http://ns0.freebsd.org>. hostmaster.freebsd.org
> <http://hostmaster.freebsd.org>. 2014121517 <tel:2014121517> 3600
> 900 604800 600
> freebsd.org <http://freebsd.org>. 3600 IN RRSIG
> SOA 8 2 3600 20141229134836 20141215162412 22689 freebsd.org
> <http://freebsd.org>.
> Li3FZ22mk+j4FbIRp7rQD/QS/m3UCFvMDqdUfdLBOPEpOiCTLue+5xFhtr6mLwJ6mYzbsATM3rHN/O+B1VF3VzytnOOYh0QvoqpjxwGcUWNAkAlOCFDrqaS5wp9PfWOBJ+1q+xbkgC/iwBmasqb06G1WpcvpRq9kYoZUum8RxAGuTQIYNhoDxUjU5r6yiTvWy3sCmpu02F846BcJ6+LBKhsd8OuOJYplYhjFOfszl8uQmUtyCxCDm9udsWHbNyVMPU/DeVPKSlBS5md1l07GcG2QDepH4ChxQZnejmhaXgi/6+680v7Ufgh51xb5QiU2Xg7ATwplvor2VwJphSwMAw==
> freebsd.org <http://freebsd.org>. 3600 IN RRSIG
> DNSKEY 8 2 3600 20141228141417 20141214022412 32659 freebsd.org
> <http://freebsd.org>.
> Cf1nX8IQROLxXzL9WTDJVRdHuGN344DnIzKrshoG9sbYkP/DTDMMt9mpDCUUz0HK0FgxhHw45oepm6+KMbydzZDWhK2+G/LPgyK5nzsxnaJc9EgHpg6OKCQw7HHDirfe8lr0es0Ab4mPicqMKg31r7272SEKJ6HGoezzW5wtokTJpegAGQhW+b8ZvpBqRcj3jYIU9HvBOJtn/ZNrXMg2mUP/tbkxDcBy7ssMNmy0s0GKu6Daqq1VSK0BKvEIPc/sUC+mKkUo259FkI2Lnfml3vsw+aV0behgp/VpoxRfotcNjFNJGhYGF0B0iwTQIdBnfMWlNXsQBnoQ8b7W+OLiRw==
> freebsd.org <http://freebsd.org>. 0 IN RRSIG
> NSEC3PARAM 8 2 0 20141219185954 20141206012400 22689 freebsd.org
> <http://freebsd.org>.
> ViAARy2wfDAUXV7AEzQFbge0hCJSU1/vusbRoWkaM1EVkOQbaCiSQ1PDanZmR4yQncdo2M3d4gJtIHgvZ5xzeo0/2AhlSVw/GAtWjJkqI/8rJZ2ZPtoXy6SJBcNAcGKTx74EjFN/TIxDIEXKNss2BNz3y57olnknvqgVpNjGu8jzc59aDww4+cgh9v7zuMG1YAncCnHwTIaxtsXN/K0jjKx9CtkVwJLJCRd4bthKyrPkBNMZ3cDOX27MlQFC7461WsPkNxsxFYfUWO4g8f41UUYzPX2c59tKm+qJB7s56KLihZIuBjTZnROyTkvFFcdG3ii9dzFqbEN8PMwJIS7bzw==
> freebsd.org <http://freebsd.org>. 600 IN RRSIG
> NS 8 2 600 20141221172508 20141207182403 22689 freebsd.org
> <http://freebsd.org>.
> ny0XoD9xYbSX5nHbDnl5iCIofSBlkwB8dPjeUcmKfyylrpiPVDkXfl+xfacqJj7DRvf5gF8fLhe0lwTu3cLeVXGf9L3UfD5N5sd61SxLLXy8gDHtjCQWS5/VYE4rIn6/leoqRD5YVPGJ1OWRBHSnVIjdib/R7XLLz6v8CMT4l+P42tDf7z56hjc3BNplcD/KjFfrEmoBlRIwvs9XaR3i+Qvl/0uKnGgeaXVvRMgCthC4J4oZKsBt0hpAhwy3ocOOGhp1uLV+/sBUd4ZMi0HG0G+OZbelVt01LE/7Kp5+4TA7i5Ubla8/kEcx7iKjqimnTb+0GF7+WrZbVe3MrTi9Jg==
> freebsd.org <http://freebsd.org>. 600 IN RRSIG
> TXT 8 2 600 20141221200324 20141207122402 22689 freebsd.org
> <http://freebsd.org>.
> uf81IQ/nUDeVhLtUw/g4ILoW3Pq1rl9ub8p4MBkuGxhpmZSpm1phmJ47xuDkEg137SwqdP/mIx/EIRZ1Oah5Hx1e0278qJSX1M9DMwscCjXl3uPTqgYfL/M9k15U3OJ3i9yI4Stsp6ORG3Rj4bYYYz3mzlSNV64ZOnkW9JfPu/GjEq21EXgF9SEABJr21dwEUeCpmng15MHpmpTIJIwkgdH4DC7Dh/glQ6yMDEcf6I4x63hmj4CWpChs18W94esshEfZVTeiKV7xFPvgrnsbrO660Jvua7XR3R4mqr9sqv2mXKJICNobBNx/IyAxw9vw5dE7ohFptPEH7DUDN/h4jw==
> freebsd.org <http://freebsd.org>. 600 IN RRSIG
> MX 8 2 600 20141222062628 20141208062403 22689 freebsd.org
> <http://freebsd.org>.
> exRPLUyRmbRbxQEYu989+agnNMIjXl7PsfPGW8xaoq2Dv0/GbOGnAPlSALg3MBPz8R+pL3MWiaexyi/1qxUF6n0tItn7hQhUla4jri7rMFzMUcvePPr6t5sF/MWkIC+15O5QlIUx/Bi0zUnUFPSXCKH3MWr0oqGNzzc3jSqsUlqBhQmZq3KCrSE62Tp3VDthFhZUSY29EAmmwnAlTxQR9ZX3eVEM5oJ5UrhFkBcMhv4jVtSN+OncYx4PQWHNk4DR9vY3FCVl48XqJ9ivln9vHOOCqfzl5oaSXeE6rnbHwEKpOZX65l24nPuNtKVPajYEAroK4xMqCdkPW4Ov0tw3zA==
> freebsd.org <http://freebsd.org>. 600 IN RRSIG
> A 8 2 600 20141221151124 20141207232403 22689 freebsd.org
> <http://freebsd.org>.
> VPOX9ep1tYDF7dFaY37zXAMHwd+ySWAeSAMa45btmNzCD/F1pkUi9wH57LPE3jtqeHF4coKfZCvzBED5KWfyYMDZsWOaTNA2Hxh4h+WRr4qK1FxeilvIDLYs1/ynGCcaAfTM8T7OwAueWx/x78bshaw8mkI8Pp38SpkHa0sL5T4/L9NP8NOUOP5I6zv2xFtqkcQBSWZLFElGHn3JBo3ZyGa9lUsjnNfNWwNCLcDbXG7aQCW88v+mxbnIq2lHogqOsYXQHnatpK7qV27c2XNB9ZuGmWq6zLFUFOXH1pDLf0ftIg70Evy+88RomIFLo9e9qNYI9WJk7Z51gL7ygA/YSg==
> freebsd.org <http://freebsd.org>. 600 IN RRSIG
> AAAA 8 2 600 20141222031959 20141208092403 22689 freebsd.org
> <http://freebsd.org>.
> U88G56Mlmb6l4xv+G+IdvLAQQ8g5quIvKVjBSTcC5QdO52C/kUGcoo2rE+phXqXK7j7vgcfEuSI2qP3FDCG2K1VUn19+oCHA/LVzx4sNGsVlqXDfieE7c48vVYeukalh7cCXQ53dGo/4Tpps3i/4IUtw7Wi/NjykJoi8PbzgqR7mrkcKD83l18XR0JNILvj1EQwuTZYIICcd+yfs2WU5IjXIv5ik3hVkxQA5GkJse+EfAvBuJRPkZ8yknRM93tRw95gBc6ntB9+3pqZ9QNPKRUl5i7HoBbkSlAr3iGJiBAOXAX4V3PGNG+tXHqbEVPn1DzsXojJSFUJGaXHA9VFSpw==
> freebsd.org <http://freebsd.org>. 3600 IN
> DNSKEY 256 3 8
> AwEAAc48eD98O70LmwN5RQ5i1vaP9BURkyvOiVNbztyVOCbPsZMIxDVZULFGLeEKmUR9UbutNoizdVi+XDGXgbfvQTZczkCUJNvBCxVglssyxnMMDjxf4p6TfuTTAW7EK6BDGVGkU3yBbfFYRYDeRep3g2CHH5/juU6MGMDElYYAhULICw3QRJjzMJFezvV0D1Mql53otXJ2J0BVhNBbF/1HSYRhVrFCSnpo1OORbNEuCudBr5WDBsZ3TdFehf74fYQP8XZEKqwirUvGcrlvDCPncPFtoLj3BWNvecsAwBrRbVzwTMVZHV95SXSq5VzjiXsf4U/UMQ5xOE5t4370msqPScM=
> freebsd.org <http://freebsd.org>. 3600 IN
> DNSKEY 257 3 8
> AwEAAd1zS5J5X1kQqoufYTOGrPaUnlgBxllrFE1rGLJ3qDWEEETjszjal7IeJMmn/VhC6a2txXeob5is1/8Z6KWxpAhqIiw+l9JmD9sD/dOI9Yyk/AIyhSPguqV9+zBkfrp9I0BUuwxO/Rs+VgnqwQquyDGWRFQTtckPkptHKMTt44F8VyGcg+WVHOAXAsdGAC2SK1MVbSnMnRvZjYRHS3qc8at/h7soSib9TGNG9i+UD2mZyefcUUxsSll7TvUURA1dW13UP3U4/JlUM0qwA8Lk7pho/Or61Sci+yiqKijAdHu+dY3yGESkZ2rm4PBYYbm44ftefYXX5Hd5w20MXe5Lym8=
> freebsd.org <http://freebsd.org>. 3600 IN
> DNSKEY 256 3 8
> AwEAAdCGUpcdxSMYspciWP5aJa3f0Lr5oW1BkSnSGe4TO4+HVy8f+40q7uHtpaI7MMl5+2HAtjxgaZIVGBM3zqiCvW3KXjv+TRKLIBJTxStYu9ped0JWCqAXfYIhD5Tw2uvNKU0CLTJP9PQuEz8K5Yd7Zsy6N49/zAbovyhL5Ciax+BPcA8FTZ6io+m1Gw43+i2UOAs5yAeWsjaYsCwV4Ye7FdPwuQ5z/MMszr9XwBzFJdlQyJFpyAPNcdAiplnSWAg7oo8t221+sRsY/ZMOgi4WeIZAPM71Fq0LEi+GUxgjUdYs7MtehsmyRgZjum3AJyJfaf2gZRQH5Dw0aIR/G1lUwEc=
> freebsd.org <http://freebsd.org>. 0 IN
> NSEC3PARAM 1 0 100 10238ec3108d6756
> freebsd.org <http://freebsd.org>. 600 IN NS
> ns3.isc-sns.info <http://ns3.isc-sns.info>.
> freebsd.org <http://freebsd.org>. 600 IN NS
> ns2.isc-sns.com <http://ns2.isc-sns.com>.
> freebsd.org <http://freebsd.org>. 600 IN NS
> ns1.isc-sns.net <http://ns1.isc-sns.net>.
> freebsd.org <http://freebsd.org>. 600 IN TXT
> "v=spf1 redirect=_spf.freebsd.org <http://spf.freebsd.org>"
> freebsd.org <http://freebsd.org>. 600 IN MX
> 10 mx1.freebsd.org <http://mx1.freebsd.org>.
> freebsd.org <http://freebsd.org>. 600 IN A
> 8.8.178.110
> freebsd.org <http://freebsd.org>. 600 IN AAAA
> 2001:1900:2254:206a::50:0
>
> ;; ADDITIONAL SECTION:
> ns1.isc-sns.net <http://ns1.isc-sns.net>. 3600 IN A
> 72.52.71.1
> ns1.isc-sns.net <http://ns1.isc-sns.net>. 3600 IN
> AAAA 2001:470:1a::1
> ns2.isc-sns.com <http://ns2.isc-sns.com>. 3600 IN A
> 38.103.2.1
> ns3.isc-sns.info <http://ns3.isc-sns.info>. 3600 IN
> A 63.243.194.1
> ns3.isc-sns.info <http://ns3.isc-sns.info>. 3600 IN
> AAAA 2001:5a0:10::1
> mx1.freebsd.org <http://mx1.freebsd.org>. 600 IN A
> 8.8.178.115
> mx1.freebsd.org <http://mx1.freebsd.org>. 600 IN
> AAAA 2001:1900:2254:206a::19:1
>
> Received 3670 bytes from 72.52.71.1#53 in 298 ms
>
>
> So this server did return the requested information. You should really
> use dig(1) for debugging. It provides more information like whether
> the AA bit is set, DNSSEC data, etc.
>
Hi Kevin,
> I am still unsure why you are issuing ANY queries, though. If you want
> details, use "host -v". Since you are querying an authoritative
> resolver, you are not dependent on what is in cache, but the UDP reply
> is over 2K that is truncated and the query is re-issued via TCP. This
> means that the behavior is entirely different than a query for just
> address information.
>
Free access to the service ports 53/tcp and 53/udp.
Another thing I noticed was that it started to happen after I updated
the bind (ports).
# pkg info bind99
bind99-9.9.6P1
Name : bind99
Version : 9.9.6P1
Installed on : Fri Dec 12 09:33:33 BRST 2014
Origin : dns/bind99
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : net ipv6 dns
Licenses : ISCL
Maintainer : mat at FreeBSD.org
WWW : https://www.isc.org/software/bind
Comment : BIND DNS suite with updated DNSSEC and DNS64
Options :
DLZ_BDB : off
DLZ_FILESYSTEM : off
DLZ_LDAP : off
DLZ_MYSQL : off
DLZ_POSTGRESQL : off
DLZ_STUB : off
DOCS : on
FILTER_AAAA : off
FIXED_RRSET : off
GOST : off
GSSAPI_BASE : off
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
GSSAPI_NONE : on
IDN : on
IPV6 : on
LARGE_FILE : off
LINKS : on
NEWSTATS : off
PYTHON : off
REPLACE_BASE : off
RPZ_NSDNAME : off
RPZ_NSIP : off
RPZ_PATCH : off
RRL : on
SIGCHASE : off
SSL : on
THREADS : on
> I would do:
> # dig @72.52.71.1 <http://72.52.71.1> freebsd.org <http://freebsd.org>.
> # dig @38.103.2.1 <http://38.103.2.1> freebsd.org <http://freebsd.org>.
> # dig @8.8.178.115 <http://8.8.178.115> freebsd.org <http://freebsd.org>.
# dig @72.52.71.1 freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> @72.52.71.1 freebsd.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42090
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freebsd.org. IN A
;; ANSWER SECTION:
freebsd.org. 600 IN A 8.8.178.110
;; AUTHORITY SECTION:
freebsd.org. 600 IN NS ns2.isc-sns.com.
freebsd.org. 600 IN NS ns3.isc-sns.info.
freebsd.org. 600 IN NS ns1.isc-sns.net.
;; ADDITIONAL SECTION:
ns1.isc-sns.net. 3600 IN A 72.52.71.1
ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1
ns2.isc-sns.com. 3600 IN A 38.103.2.1
ns3.isc-sns.info. 3600 IN A 63.243.194.1
ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1
;; Query time: 182 msec
;; SERVER: 72.52.71.1#53(72.52.71.1)
;; WHEN: Tue Dec 16 10:27:56 BRST 2014
;; MSG SIZE rcvd: 248
# dig @38.103.2.1 freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> @38.103.2.1 freebsd.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40912
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freebsd.org. IN A
;; ANSWER SECTION:
freebsd.org. 600 IN A 8.8.178.110
;; AUTHORITY SECTION:
freebsd.org. 600 IN NS ns2.isc-sns.com.
freebsd.org. 600 IN NS ns1.isc-sns.net.
freebsd.org. 600 IN NS ns3.isc-sns.info.
;; ADDITIONAL SECTION:
ns1.isc-sns.net. 3600 IN A 72.52.71.1
ns1.isc-sns.net. 3600 IN AAAA 2001:470:1a::1
ns2.isc-sns.com. 3600 IN A 38.103.2.1
ns3.isc-sns.info. 3600 IN A 63.243.194.1
ns3.isc-sns.info. 3600 IN AAAA 2001:5a0:10::1
;; Query time: 136 msec
;; SERVER: 38.103.2.1#53(38.103.2.1)
;; WHEN: Tue Dec 16 10:32:03 BRST 2014
;; MSG SIZE rcvd: 248
# dig @8.8.178.115 freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> @8.8.178.115 freebsd.org.
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
>
> Once your resolvers have cached the NS records, they should directly
> query the servers shown and not walk the full tree. From the NXDOMAIN
> replies, it looks like some system is lying about things. I'm going to
> guess that system is incorrectly responding with NXDOMAIN when some
> other error is occurring. That system is probably close to you. Try:
> # dig freebsd.org <http://freebsd.org>.
# dig freebsd.org.
; <<>> DiG 9.9.6-P1 <<>> freebsd.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61747
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freebsd.org. IN A
;; Query time: 2995 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Dec 16 10:30:25 BRST 2014
;; MSG SIZE rcvd: 40
>
> That will do a standard query to what ever recursive resolver you
> normally use. It will, hopefully, point at the culprit. It is also
> possible that it is a firewall issue, where some security software is
> sending a NXDOMAIN server to prevent further queries. This is only a
> guess, but there are a limited number of places where the problem
> might be generated and experience tells me it is almost certainly
> close to your system.
I am suspicious that it's some recent filter due to last vulnerability
of bind. It could not be?
> --
> R. Kevin Oberman, Network Engineer, Retired
> E-mail: rkoberman at gmail.com <mailto:rkoberman at gmail.com>
>
More information about the freebsd-net
mailing list