I'm seeing lots of DNS resolution failures on my router (running Utuntu 8.10, bind 9.3.4). While most succeed, I get quite a few FORMERR errors similar to: May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 66.151.140.2#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.168.3.1#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.112.36.4#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 128.63.2.53#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.228.79.201#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.36.148.17#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 202.12.27.33#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.33.4.12#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.5.5.241#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.58.128.30#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 128.8.10.90#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 198.41.0.4#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 192.203.230.10#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 193.0.14.129#53 May 4 20:25:25 localhost named[19579]: FORMERR resolving ' imap.gmail.com/A/IN': 199.7.83.42#53
I'm running an iptables firewall on this box, which is connected to the internet via a wireless access point on my roof with a link to my ISP. As a result of the above FORMERRs, clients on my lan are unable to resolve addresses -- in the above case, imap.gmail.com, and therefore are unable to access mail. Upon the recommendations of someone familiar with the relevant technologies, I've updated my DNS (named.conf) to set the edns-udp-size 500 option. This had no effect. If I use dig to resolve imap.gmail.com manually, by specifying any of the above-mentioned DNS servers, everything works fine. Also, when clients within my network fail to have imap.gmail.com resolve, I can "fix" things for a short while, by simply issuing the following: nslookup set querytype=ns gmail.com. lserver <whatever-the-ns-server-is-for-gmail.com> set querytype=a imap.gmail.com Once I've done the above, my DNS server caches the A record for imap.gmail.com and happily hands it out until the cache time is exceeded, when I'm back getting FORMERRs and failing to resolve imap.gmail.com. There are other addresses than imap.gmail.com that cannot be resolved due to FORMERRs, but this domain name is the most prevalent, and most annoying, since it prevents users within my network from getting mail. Since I can force my DNS to resolve these addresses by issuing the above queries, I'm wondering if the problem is due to having the following in my named.conf: forwarders { 192.168.3.1; 66.151.140.2; }; My ISP provides the above two DNS servers and I have mine delegating to theirs. Perhaps one of these two DNS servers (or any that they forward to) is having problems (perhaps no EDNS0 support?), which causes the FORMERRs to be reported by my DNS server. I haven't yet tried removing the forwarders. I figured this was not the issue because the FORMERR log messages suggest (to me) that my DNS is trying to contact the root servers itself (and not relying on the downstream DNS servers to do so). Does anyone have ideas about what is going on? Thanks much. -- Eric
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users