Strange Name Server Problem
Matthew Seaman
matthew at FreeBSD.org
Thu Apr 20 21:57:39 UTC 2017
On 20/04/2017 19:48, Odhiambo Washington wrote:
> I have a server running FreeBSD 11.0-STABLE.
>
> I am a little stumped why my local caching bind instance doesn't answer
> queries. I have then opted to run bind on port 5353 and unbound on port 53.
> I still experience the same problem!
>
> root at waridi:/usr/local/etc/unbound # sockstat -l | grep named
> bind named 50877 20 tcp4 192.168.27.254:5353 *:*
> bind named 50877 21 tcp4 127.0.0.1:5353 *:*
> bind named 50877 22 tcp4 127.0.0.1:953 *:*
> bind named 50877 23 tcp6 ::1:953 *:*
> bind named 50877 512 udp4 192.168.27.254:5353 *:*
> bind named 50877 513 udp4 192.168.27.254:5353 *:*
> bind named 50877 514 udp4 192.168.27.254:5353 *:*
> bind named 50877 515 udp4 127.0.0.1:5353 *:*
> bind named 50877 516 udp4 127.0.0.1:5353 *:*
> bind named 50877 517 udp4 127.0.0.1:5353 *:*
> root at waridi:/usr/local/etc/unbound # sockstat -l | grep unb
> unbound unbound 51296 3 udp4 127.0.0.1:53 *:*
> unbound unbound 51296 4 tcp4 127.0.0.1:53 *:*
> unbound unbound 51296 5 udp4 192.168.27.254:53 *:*
> unbound unbound 51296 6 tcp4 192.168.27.254:53 *:*
> unbound unbound 51296 10 udp4 *:29712 *:*
> unbound unbound 51296 11 udp4 *:28511 *:*
> unbound unbound 51296 13 udp4 *:35511 *:*
> unbound unbound 51296 14 udp4 *:19644 *:*
> unbound unbound 51296 15 udp4 *:22549 *:*
> unbound unbound 51296 16 udp4 *:30714 *:*
> unbound unbound 51296 17 udp4 *:11907 *:*
> unbound unbound 51296 18 udp4 *:50834 *:*
> root at waridi:/usr/local/etc/unbound #
>
> Name resolution takes so long because it has to happen via the ISPs DNS
> Servers, which are the 3rd and 4th options in /etc/resolv.conf
>
> I am actually lost as to where to start looking.
>
Have you tried turning up the logging levels for each of these programs?
You can set them to log every single query -- this is not usually done
in production since it slows the server down, but for debugging
purposes, it is really useful.
How are you generating lookups? It's best to use a tool like dig(1) --
this can query DNS directly and avoid all the added bits of NSS stuff
which helps you localise the problem better.
Can you tell if either of these programs is attempting to recurse DNS
queries for you? You can use tcpdump to capture any port 53 traffic, or
else install dnstop which captures DNS traffic in a similar way and
displays various statistics about it. Either of these should be able to
show you queries being made from your server to the root or other
authoritative servers and replies coming back.
You'll only tend to see the full sequence the first time you query for
something: most of the results will be cached and second and subsequent
lookups for the same thing will just be answered out of cache. You can
clear the cache by 'rndc flush' or 'unbound-control flush_zone zonename'
Another thing to check is what ends up in the cache for either of those
recursive servers -- both rndc and unbound-control have options to dump
the cache in text format.
Is your local unbound cache using the unbound port or the built-in
local_unbound service? If it's local unbound, did you run:
service local_unbound setup
This will process your /etc/resolv.conf and add any nameservers
specified there as forwarders in the configuration it generates.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170420/0a354117/attachment.sig>
More information about the freebsd-questions
mailing list