I am getting different answers from those queries, looks like you hit the nail on the head Mark. I'm exploring that avenue now.
Thanks -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews Sent: September 18, 2017 6:43 PM To: bind-users@lists.isc.org <bind-us...@isc.org> Subject: Re: NOAA.GOV domain not working I actually expect that you problem is your firewall in that it is dropping fragmented UDP responses. The UDP responses for www.nhc.noaa.gov are large. They do not fit in a single ethernet frame. Compare the following two queries. dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237 dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237 +bufsize=1432 The expected response should be something like below. ; <<>> DiG 9.12.0a1+hotspot+add-prefetch+marka <<>> www.nhc.noaa.gov +dnssec +norec @140.90.33.237 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28389 ;; flags: qr aa; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 13 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.nhc.noaa.gov. IN A ;; ANSWER SECTION: www.nhc.noaa.gov. 300 IN CNAME edge-nws.woc.noaa.gov. www.nhc.noaa.gov. 300 IN RRSIG CNAME 5 4 300 20170924022618 20170917022618 50970 nhc.noaa.gov. FX7pysSEix2BfkZ6YCyU2XIVKpsX0KaKszHLoCaGlXGbvdFg/frUrk8i UyxJd5ivHivccxKym1p/v5jzmrap6HqdW0OT1Y34jZWB4UTXxroxQNkb YDhJfeVEbi4tqTV9oR38U6SBw8O5CCEm1/JI4PstsE5ztGpjgjreL9Ck zkLibSQq+czKeCBiGcXYOL5Ax9Ix4pSvgz3nt9P4wWn/vp28LaYkA46P ua53NoWA/CA5F1iqjIuiAPEVWvaQfQXJ8lOBraN01lty8pKvnHuhj4IM P2ED48Db9lWi035WHacKBI+RMIYuxY6jUqduAms9Pel61vGvErGq19+2 6zeitw== edge-nws.woc.noaa.gov. 300 IN CNAME edge-p1.l.noaa.gov. edge-nws.woc.noaa.gov. 300 IN RRSIG CNAME 5 4 300 20170925184757 20170918184757 57630 woc.noaa.gov. icSUkvRI1f9/+PuCTsJUiWV1fAnHMYc1yK0SqQ8s7zUMA42s8c7GR6sX +EQpkdoyWURftRgwL+vWiwt4fPnIrcP3QP19ogwORdO8SAevCoPGELGN 3YEdKFaztiJLT5Ct35P69p5p1QrBjKkg6eYuPPBJa/sgZ1A2DThxGA0D GLflYZ8wzrrs/epM4d4UcL3hoVAj6Jq9l9vRu69yb1dTxeXVDovu/5v1 XfPIfuBVX29zmB1DMKMPZHBQRvKJ3HuzQG7565kCeRZEn1zv5X/+xjob X5ynhA9G0sOeC7hoo0aVNkKOpROBik34pLDwezdHzuHkSD/fy3d4nL9P lkDAfg== edge-p1.l.noaa.gov. 30 IN A 140.90.33.11 edge-p1.l.noaa.gov. 30 IN A 140.90.33.21 edge-p1.l.noaa.gov. 30 IN A 140.90.200.11 edge-p1.l.noaa.gov. 30 IN A 140.90.200.21 edge-p1.l.noaa.gov. 30 IN A 140.172.17.11 edge-p1.l.noaa.gov. 30 IN A 140.172.17.21 edge-p1.l.noaa.gov. 30 IN A 216.38.80.71 edge-p1.l.noaa.gov. 30 IN A 216.38.80.81 edge-p1.l.noaa.gov. 30 IN A 129.15.96.11 edge-p1.l.noaa.gov. 30 IN A 129.15.96.21 edge-p1.l.noaa.gov. 30 IN RRSIG A 5 4 30 20170925203819 20170918203819 54795 l.noaa.gov. 0uBOAopfYETEoFKbFTSSbKg9eOCtFtsO/74P+xB6UnOumPV2iZlIygBk Kd9J6aktlSzAbzc6jgnkLqqOgHFwBn+zsPTcIgqcXqWGfTz/J08IjhBs AJLdooU3uvxwyXhBee/8opkU4DLholpch9PcdAb3LWOh/Zi0OfRMlq9s n+fUAza7/UZDaBYv2mCUvzpVpC6VJ0KXm8ebqj9zprogZRHNfRk3KzNW CiXzjeECOL7u/uLsT8xPT4OJtkOCqgxH7TuGaTauCrNO7J88lp9SZq/C DkbQuS6algvPY4dRisCr9Fq+9qQn2uem4PZpDw3PYkArH4NuJ/CaVawo dLCKtw== ;; AUTHORITY SECTION: l.noaa.gov. 86400 IN NS ns-e.noaa.gov. l.noaa.gov. 86400 IN NS ns-mw.noaa.gov. l.noaa.gov. 86400 IN NS ns-nw.noaa.gov. l.noaa.gov. 86400 IN RRSIG NS 5 3 86400 20170925203819 20170918203819 54795 l.noaa.gov. wKRr26TPsABD3AjMWtt/dnRRVeAe3H6ua9vp0R/W3ngQlo3H+0FJpCOV 5DVU3gcpr9f5NmLETi53g2MB+jkgKz/7RIor0YdbsEropBDY3cqWFO6O Az1Ol0Eh9YokVF8XB6sejDkIBZgfSjj7m1OM7uPk2mmom/KZO1wh/bX+ ey5Qhezfq2ZFarXJn6SrWRNQa4juJ8SmtTsBivsVmuDNelyNd1gJ94Kp JdmNMUeyGAkvKNw3mIz06IPDEXF/wLlR0KCQWAPTOrJ2oacnMkEhm5+M iEhnF7jId54xFzuDeuPhRcVH9zK9QFsIzcPsr3aEjSaN1aSCqzXwn6cr h+XELQ== ;; ADDITIONAL SECTION: ns-e.noaa.gov. 86400 IN A 140.90.33.237 ns-e.noaa.gov. 86400 IN AAAA 2610:20:8000:8c00::237 ns-mw.noaa.gov. 86400 IN A 140.172.17.237 ns-mw.noaa.gov. 86400 IN AAAA 2610:20:8800:8c00::237 ns-nw.noaa.gov. 86400 IN A 161.55.32.2 ns-nw.noaa.gov. 86400 IN AAAA 2610:20:8c00:8c00::2 ns-e.noaa.gov. 86400 IN RRSIG A 5 3 86400 20170925184650 20170918184650 30423 noaa.gov. XoEks1NUvLsy9FCxlG6MqXFFDPy3nwaXC4EFapyFHaN8iJYTEarNcvJE a7tJ2V51ST+VjbexXk7ULvyCtiW28jOma8TkJTrPV/jvMStdvwQdbJ2X Sj4ueFZSvNKXgdQPz/IgZFl2q8r93JVp2EKboTJXda8IPXlHcppkiwKX DUp/pxcoKH98gqT4pFRty4yN2AcfG0fZDNk1DuFSrkOePFO9u1u5PRBp MS8yG9ASEBNRC+XYdJmPGS0HS7lYgVLQvq3mBjEYHl7iTbZtMj99EADz 5/ZRGLF8UXh7q6P1Ke3VSdvwxuYKJipyoo7AVlSa/qZQGa7YBpuUxu9D KfRhdg== ns-e.noaa.gov. 86400 IN RRSIG AAAA 5 3 86400 20170925184650 20170918184650 30423 noaa.gov. egIUANThKKUqTZWD5/xYtn3zjdiD2mNz4KY/I3vLi+DH4TLtUJakEUU2 Dzllq0DpvIxCi0L+0PUYkr7qD0GYb1a4dz8b51GwuLTrG+t60ylyBAwK o7wSyTHepdyRzYU+WGrmsyRoItCwU5K4HP5dgy8yhheK1jTCtjXUOOUd 7e15rk3O5FHBM/V1AV3Jb5WhgaKRta+XcrlNPyiWmzLbiuOhd6SDVez2 ZCbpjg+ufNiVPuJdIqicXFkzA7+M0yD9NSrkqm4dsm8B47rsmfaBbMSN Bz/2MLiryOOHwFUlwDKWRHDgJG0oyQpT6TWG/W9jJWySGNOM4LpF4jFs LsnhoQ== ns-mw.noaa.gov. 86400 IN RRSIG A 5 3 86400 20170925184650 20170918184650 30423 noaa.gov. AVjLcG9eAiUr5ogdFgkhYbZrUZJqB6DPuH9LXkvKecG9hsxHdYAnqBJI VFHeSNUS5SIAHZDGuadOWazGiR+2AmN8uaKk1xd08vY9LGzCtMhCUMQR S3txNgoa54jsil4bpvFGsF//979NyM2krpAapnWy0iOhpD1Iyazyxk42 tQ3AhGvw0d2iRMZ+7vr5xI0fKKH18PyvtGbgr1og2fdFGz2VbesocBOy h7v+wFh6igLi+5KChHq+THvvycrf7X4wxYS6MbEkHC7H6yCJqyNqvpuj tCflOF32dJkD2viAZ5odEZ0MudYsSz/9OY+mXnt3jrDTE4a9rbja1kAq OrcDHA== ns-mw.noaa.gov. 86400 IN RRSIG AAAA 5 3 86400 20170925184650 20170918184650 30423 noaa.gov. e2ZLMqHBtedw7uEiTJFJ3XI1nQ4ScTnjA2kA4brugtS7prrCE4fbkGqe bEl4Lnxo3mFU/aZOoz+al0ECFoG2gSShbfQ0t8/amveET4DpSU2eq+Hz WwpULI9VFaeGYSHkvruDrU83NO9366L1fTRhkEB425C/ZMQiXLE48jOX XN2XqB+XbAq5p6DJSXdj5eBF2831VHfd/oEtO0O0xcBUS3e2rQC9g765 LMfRvDxi1LLZCHSWFzX0SHXO/2k2MA4lgY/qRzXq8lmYRJZm3yMrmZrj 9TFBNBU3RHGu3aUJjfdAh4XGd1qK6wdrTGtI5Km013s1AflmKC1AczzW KF3uqQ== ns-nw.noaa.gov. 86400 IN RRSIG A 5 3 86400 20170925184650 20170918184650 30423 noaa.gov. cpI8x/LtEqouko9AfCbOyFlVtZvMIx0o27V8aJ0R0mGjcPAUw72aHPRZ cIrUMhT3QbVwBfyFU+3DLcl79gBHnWnxI9rO69Nc7aK4aRr32OCE8ZFr cQfiUwKcZJImmEiC8Fi9e8S9CiWN/GcCGdQr7QIc7SfJVIMRxYBMZeMe BKcakX6NQQRPTQmNEeW8ShQF1YLXLvcII7DeRJr2VR7kjZ+XAdcuCxL4 GxYpaZjU5bodHT7rDs5ZxP4jEmYn5xscf7BELNIGzIDXmKYWIdIWMydt aNf44arLrIHK1UqtjPRoiScPA6lOZgxzkUECMiNtv7gbRKh7OIJJIM0r DDLspw== ns-nw.noaa.gov. 86400 IN RRSIG AAAA 5 3 86400 20170925184650 20170918184650 30423 noaa.gov. qw5bNyetsBRWtBQGz7QjEK+oYKG9/0zUEVC2ZzQxxDZRJLPf4G9N02tW icADxEsmBzJ/0G9TGhJPH2EWmVy3Ru/Ow1NUes1VgxoVlxhdbd4n5GFs qyiyISXPF/yoYMtpOWa7Nawey+6hfIuj+abuotZ5cMaDP2gmPWw81bYd tOTJuCqq8YGW7OpfVtdLQsy6+JD5NHoNGeBAuKtJ6VO6KGREpotedsUV d7w46wZYsacB+LrDYFOr4c+nsObmpR5Jn+S7GktwqCyQJmFlGGp+kVTs 0Hm+rcD4GnBt2zZLv3DGST1BG1Ft5lRw4IzQINS4brCEo5yfsWruTJRE dDoLoA== ;; Query time: 293 msec ;; SERVER: 140.90.33.237#53(140.90.33.237) ;; WHEN: Tue Sep 19 07:38:46 AEST 2017 ;; MSG SIZE rcvd: 3419 In message <36f8dd297fd5504aa37968ada5ba93eb01178c1...@gnbexmb8pb.gnb.ca>, "Lev esque, Ricky (SNB)" writes: > Thank you for your reply, > When I notice too many failed queries from this domain name > (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc > reload), seems to allow queries to work. But still latent (in the > 3500ms > range) > > This is what I get from a DIG +trace... the connection times out > every time. > #dig +trace www.nhc.noaa.gov > > But if I try another domain, example: "cisco.com" it completes > properly #dig +trace cisco.com > > As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS > servers (8.8.8.8) and the query seems to time out as well. > # dig +trace www.nhc.noaa.gov @8.8.8.8 > > > ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP* > +trace ;; global options: +cmd > . 434277 IN NS e.root-servers.net. > . 434277 IN NS d.root-servers.net. > . 434277 IN NS f.root-servers.net. > . 434277 IN NS a.root-servers.net. > . 434277 IN NS i.root-servers.net. > . 434277 IN NS h.root-servers.net. > . 434277 IN NS g.root-servers.net. > . 434277 IN NS l.root-servers.net. > . 434277 IN NS b.root-servers.net. > . 434277 IN NS k.root-servers.net. > . 434277 IN NS j.root-servers.net. > . 434277 IN NS c.root-servers.net. > . 434277 IN NS m.root-servers.net. > ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed > DNS-SRV-IP*) in 4 ms > > gov. 172800 IN NS a.gov-servers.net. > gov. 172800 IN NS b.gov-servers.net. > gov. 172800 IN NS c.gov-servers.net. > gov. 172800 IN NS d.gov-servers.net. > gov. 86400 IN DS 7698 8 1 > 6F109B46A80CEA9613DC86D5A3E065520505AAFE > gov. 86400 IN DS 7698 8 2 > 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0 > gov. 86400 IN RRSIG DS 8 1 86400 > 20171001050000 20170918040000 15768 . > TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg > /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ > 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG > 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ > BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo > QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA== ;; > Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms > > noaa.gov. 86400 IN NS ns-e.noaa.gov. > noaa.gov. 86400 IN NS ns-mw.noaa.gov. > noaa.gov. 86400 IN NS ns-nw.noaa.gov. > noaa.gov. 3600 IN DS 13774 5 1 > 4823D2F9C36F98D586ECCD779731F813218BD875 > noaa.gov. 3600 IN DS 13774 5 2 > C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63 > noaa.gov. 3600 IN RRSIG DS 8 2 3600 > 20170925101007 20170918101007 21428 gov. > UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 > 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 > oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs= ;; > Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms > > ;; connection timed out; no servers could be reached > > > > > -----Original Message----- > From: bind-users mailto:bind-users-boun...@lists.isc.org On Behalf Of > John Miller > Sent: September 18, 2017 11:03 AM > Cc: bind-users@lists.isc.org > Subject: Re: NOAA.GOV domain not working > > Hi Ricky, > > Try running a "dig +trace www.nhc.noaa.gov," then query each record in > the chain and see which one's slow to respond. I don't see anything > crazy in your named.conf. Something you didn't mention: does clearing > cache make a difference? > > John > -- > John Miller > Systems Engineer > Brandeis University > johnm...@brandeis.edu > > > On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB) > <ricky.leves...@snb.ca> wrote: > > Good day, > > > > Ive been having an interesting issue with BIND and wondering if > > anyone > has > > had this before or knows how to fix it. > > > > > > > > The issue is, > > > > I have 2 recursive/caching DNS servers running BIND > > 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this > > particular domain. > > > > Noaa.gov (as well as its sub domains. Specifically www.nhc.noaa.gov > > ) > > > > By slow I mean, it takes approximately 3500ms to query while most > > other domains take less than 100ms to query. > > > > Whats worst, the domains (noaa.gov) becomes unqueriable after a few > hours > > or a day and I need to clear the DNS servers cache to allow it to > > work again. > > > > > > > > The domains have very very low TTLs (30s) and use DNSsec > > > > > > > > Error: > > > > ##dig www.nhc.noaa.gov > > > > ;; Got answer: > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364 > > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: > > 7 > > > > > > > > ;; OPT PSEUDOSECTION: > > > > ; EDNS: version: 0, flags:; udp: 4096 > > > > ;; QUESTION SECTION: > > > > ;www.nhc.noaa.gov. IN A > > > > > > > > > > > > Fixes I have attempted so far: > > > > Reboot servers (2 centos servers running on vmware) > > > > Update system > > > > Try a default config file > > > > Updated vmware tools > > > > Clear DNS cache (temporary fix) > > > > Checked firewall for abnormal data > > > > Updated root hints > > > > > > > > Config: > > > > > > > > acl internal { > > > > *removed*; > > > > localhost; > > > > }; > > > > > > > > options { > > > > listen-on port 53 { *removed*; > > > > 127.0.0.1; > > > > ; > > > > }; > > > > listen-on-v6 port 53 { none; > > > > #::1; > > > > }; > > > > directory "/var/named"; > > > > dump-file "/var/named/data/cache_dump.db"; > > > > statistics-file "/var/named/data/named_stats.txt"; > > > > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > > > > > > > dnssec-enable no; > > > > dnssec-validation no; > > > > dnssec-lookaside auto; > > > > > > > > // Conform to RFC1035 > > > > auth-nxdomain no; > > > > > > > > // Allowed Port Ranges > > > > use-v4-udp-ports { range 32768 65535; }; > > > > use-v6-udp-ports { range 32768 65535; }; > > > > recursive-clients 15000; > > > > server-id none; > > > > version none; > > > > interface-interval 0; > > > > allow-query { internal; > > > > }; > > > > allow-recursion { internal; > > > > }; > > > > max-ncache-ttl 3600; > > > > allow-query-cache { internal; > > > > }; > > > > }; > > > > > > > > logging { > > > > channel default_debug { > > > > syslog local4; > > > > severity debug; > > > > }; > > > > }; > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users