I am getting different answers from those queries, looks like you hit the nail 
on the head Mark.
I'm exploring that avenue now.

Thanks

-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Andrews
Sent: September 18, 2017 6:43 PM
To: bind-users@lists.isc.org <bind-us...@isc.org>
Subject: Re: NOAA.GOV domain not working


I actually expect that you problem is your firewall in that it is dropping 
fragmented UDP responses.  The UDP responses for www.nhc.noaa.gov are large.  
They do not fit in a single ethernet frame.

Compare the following two queries.

         dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237

         dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237 +bufsize=1432

The expected response should be something like below.

; <<>> DiG 9.12.0a1+hotspot+add-prefetch+marka <<>> www.nhc.noaa.gov +dnssec 
+norec @140.90.33.237 ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28389 ;; flags: qr aa; 
QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION:
;www.nhc.noaa.gov.              IN      A

;; ANSWER SECTION:
www.nhc.noaa.gov.       300     IN      CNAME   edge-nws.woc.noaa.gov.
www.nhc.noaa.gov.       300     IN      RRSIG   CNAME 5 4 300 20170924022618 
20170917022618 50970 nhc.noaa.gov. 
FX7pysSEix2BfkZ6YCyU2XIVKpsX0KaKszHLoCaGlXGbvdFg/frUrk8i 
UyxJd5ivHivccxKym1p/v5jzmrap6HqdW0OT1Y34jZWB4UTXxroxQNkb 
YDhJfeVEbi4tqTV9oR38U6SBw8O5CCEm1/JI4PstsE5ztGpjgjreL9Ck 
zkLibSQq+czKeCBiGcXYOL5Ax9Ix4pSvgz3nt9P4wWn/vp28LaYkA46P 
ua53NoWA/CA5F1iqjIuiAPEVWvaQfQXJ8lOBraN01lty8pKvnHuhj4IM 
P2ED48Db9lWi035WHacKBI+RMIYuxY6jUqduAms9Pel61vGvErGq19+2 6zeitw==
edge-nws.woc.noaa.gov.  300     IN      CNAME   edge-p1.l.noaa.gov.
edge-nws.woc.noaa.gov.  300     IN      RRSIG   CNAME 5 4 300 20170925184757 
20170918184757 57630 woc.noaa.gov. 
icSUkvRI1f9/+PuCTsJUiWV1fAnHMYc1yK0SqQ8s7zUMA42s8c7GR6sX 
+EQpkdoyWURftRgwL+vWiwt4fPnIrcP3QP19ogwORdO8SAevCoPGELGN 
3YEdKFaztiJLT5Ct35P69p5p1QrBjKkg6eYuPPBJa/sgZ1A2DThxGA0D 
GLflYZ8wzrrs/epM4d4UcL3hoVAj6Jq9l9vRu69yb1dTxeXVDovu/5v1 
XfPIfuBVX29zmB1DMKMPZHBQRvKJ3HuzQG7565kCeRZEn1zv5X/+xjob 
X5ynhA9G0sOeC7hoo0aVNkKOpROBik34pLDwezdHzuHkSD/fy3d4nL9P lkDAfg==
edge-p1.l.noaa.gov.     30      IN      A       140.90.33.11
edge-p1.l.noaa.gov.     30      IN      A       140.90.33.21
edge-p1.l.noaa.gov.     30      IN      A       140.90.200.11
edge-p1.l.noaa.gov.     30      IN      A       140.90.200.21
edge-p1.l.noaa.gov.     30      IN      A       140.172.17.11
edge-p1.l.noaa.gov.     30      IN      A       140.172.17.21
edge-p1.l.noaa.gov.     30      IN      A       216.38.80.71
edge-p1.l.noaa.gov.     30      IN      A       216.38.80.81
edge-p1.l.noaa.gov.     30      IN      A       129.15.96.11
edge-p1.l.noaa.gov.     30      IN      A       129.15.96.21
edge-p1.l.noaa.gov.     30      IN      RRSIG   A 5 4 30 20170925203819 
20170918203819 54795 l.noaa.gov. 
0uBOAopfYETEoFKbFTSSbKg9eOCtFtsO/74P+xB6UnOumPV2iZlIygBk 
Kd9J6aktlSzAbzc6jgnkLqqOgHFwBn+zsPTcIgqcXqWGfTz/J08IjhBs 
AJLdooU3uvxwyXhBee/8opkU4DLholpch9PcdAb3LWOh/Zi0OfRMlq9s 
n+fUAza7/UZDaBYv2mCUvzpVpC6VJ0KXm8ebqj9zprogZRHNfRk3KzNW 
CiXzjeECOL7u/uLsT8xPT4OJtkOCqgxH7TuGaTauCrNO7J88lp9SZq/C 
DkbQuS6algvPY4dRisCr9Fq+9qQn2uem4PZpDw3PYkArH4NuJ/CaVawo dLCKtw==

;; AUTHORITY SECTION:
l.noaa.gov.             86400   IN      NS      ns-e.noaa.gov.
l.noaa.gov.             86400   IN      NS      ns-mw.noaa.gov.
l.noaa.gov.             86400   IN      NS      ns-nw.noaa.gov.
l.noaa.gov.             86400   IN      RRSIG   NS 5 3 86400 20170925203819 
20170918203819 54795 l.noaa.gov. 
wKRr26TPsABD3AjMWtt/dnRRVeAe3H6ua9vp0R/W3ngQlo3H+0FJpCOV 
5DVU3gcpr9f5NmLETi53g2MB+jkgKz/7RIor0YdbsEropBDY3cqWFO6O 
Az1Ol0Eh9YokVF8XB6sejDkIBZgfSjj7m1OM7uPk2mmom/KZO1wh/bX+ 
ey5Qhezfq2ZFarXJn6SrWRNQa4juJ8SmtTsBivsVmuDNelyNd1gJ94Kp 
JdmNMUeyGAkvKNw3mIz06IPDEXF/wLlR0KCQWAPTOrJ2oacnMkEhm5+M 
iEhnF7jId54xFzuDeuPhRcVH9zK9QFsIzcPsr3aEjSaN1aSCqzXwn6cr h+XELQ==

;; ADDITIONAL SECTION:
ns-e.noaa.gov.          86400   IN      A       140.90.33.237
ns-e.noaa.gov.          86400   IN      AAAA    2610:20:8000:8c00::237
ns-mw.noaa.gov.         86400   IN      A       140.172.17.237
ns-mw.noaa.gov.         86400   IN      AAAA    2610:20:8800:8c00::237
ns-nw.noaa.gov.         86400   IN      A       161.55.32.2
ns-nw.noaa.gov.         86400   IN      AAAA    2610:20:8c00:8c00::2
ns-e.noaa.gov.          86400   IN      RRSIG   A 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
XoEks1NUvLsy9FCxlG6MqXFFDPy3nwaXC4EFapyFHaN8iJYTEarNcvJE 
a7tJ2V51ST+VjbexXk7ULvyCtiW28jOma8TkJTrPV/jvMStdvwQdbJ2X 
Sj4ueFZSvNKXgdQPz/IgZFl2q8r93JVp2EKboTJXda8IPXlHcppkiwKX 
DUp/pxcoKH98gqT4pFRty4yN2AcfG0fZDNk1DuFSrkOePFO9u1u5PRBp 
MS8yG9ASEBNRC+XYdJmPGS0HS7lYgVLQvq3mBjEYHl7iTbZtMj99EADz 
5/ZRGLF8UXh7q6P1Ke3VSdvwxuYKJipyoo7AVlSa/qZQGa7YBpuUxu9D KfRhdg==
ns-e.noaa.gov.          86400   IN      RRSIG   AAAA 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
egIUANThKKUqTZWD5/xYtn3zjdiD2mNz4KY/I3vLi+DH4TLtUJakEUU2 
Dzllq0DpvIxCi0L+0PUYkr7qD0GYb1a4dz8b51GwuLTrG+t60ylyBAwK 
o7wSyTHepdyRzYU+WGrmsyRoItCwU5K4HP5dgy8yhheK1jTCtjXUOOUd 
7e15rk3O5FHBM/V1AV3Jb5WhgaKRta+XcrlNPyiWmzLbiuOhd6SDVez2 
ZCbpjg+ufNiVPuJdIqicXFkzA7+M0yD9NSrkqm4dsm8B47rsmfaBbMSN 
Bz/2MLiryOOHwFUlwDKWRHDgJG0oyQpT6TWG/W9jJWySGNOM4LpF4jFs LsnhoQ==
ns-mw.noaa.gov.         86400   IN      RRSIG   A 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
AVjLcG9eAiUr5ogdFgkhYbZrUZJqB6DPuH9LXkvKecG9hsxHdYAnqBJI 
VFHeSNUS5SIAHZDGuadOWazGiR+2AmN8uaKk1xd08vY9LGzCtMhCUMQR 
S3txNgoa54jsil4bpvFGsF//979NyM2krpAapnWy0iOhpD1Iyazyxk42 
tQ3AhGvw0d2iRMZ+7vr5xI0fKKH18PyvtGbgr1og2fdFGz2VbesocBOy 
h7v+wFh6igLi+5KChHq+THvvycrf7X4wxYS6MbEkHC7H6yCJqyNqvpuj 
tCflOF32dJkD2viAZ5odEZ0MudYsSz/9OY+mXnt3jrDTE4a9rbja1kAq OrcDHA==
ns-mw.noaa.gov.         86400   IN      RRSIG   AAAA 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
e2ZLMqHBtedw7uEiTJFJ3XI1nQ4ScTnjA2kA4brugtS7prrCE4fbkGqe 
bEl4Lnxo3mFU/aZOoz+al0ECFoG2gSShbfQ0t8/amveET4DpSU2eq+Hz 
WwpULI9VFaeGYSHkvruDrU83NO9366L1fTRhkEB425C/ZMQiXLE48jOX 
XN2XqB+XbAq5p6DJSXdj5eBF2831VHfd/oEtO0O0xcBUS3e2rQC9g765 
LMfRvDxi1LLZCHSWFzX0SHXO/2k2MA4lgY/qRzXq8lmYRJZm3yMrmZrj 
9TFBNBU3RHGu3aUJjfdAh4XGd1qK6wdrTGtI5Km013s1AflmKC1AczzW KF3uqQ==
ns-nw.noaa.gov.         86400   IN      RRSIG   A 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
cpI8x/LtEqouko9AfCbOyFlVtZvMIx0o27V8aJ0R0mGjcPAUw72aHPRZ 
cIrUMhT3QbVwBfyFU+3DLcl79gBHnWnxI9rO69Nc7aK4aRr32OCE8ZFr 
cQfiUwKcZJImmEiC8Fi9e8S9CiWN/GcCGdQr7QIc7SfJVIMRxYBMZeMe 
BKcakX6NQQRPTQmNEeW8ShQF1YLXLvcII7DeRJr2VR7kjZ+XAdcuCxL4 
GxYpaZjU5bodHT7rDs5ZxP4jEmYn5xscf7BELNIGzIDXmKYWIdIWMydt 
aNf44arLrIHK1UqtjPRoiScPA6lOZgxzkUECMiNtv7gbRKh7OIJJIM0r DDLspw==
ns-nw.noaa.gov.         86400   IN      RRSIG   AAAA 5 3 86400 20170925184650 
20170918184650 30423 noaa.gov. 
qw5bNyetsBRWtBQGz7QjEK+oYKG9/0zUEVC2ZzQxxDZRJLPf4G9N02tW 
icADxEsmBzJ/0G9TGhJPH2EWmVy3Ru/Ow1NUes1VgxoVlxhdbd4n5GFs 
qyiyISXPF/yoYMtpOWa7Nawey+6hfIuj+abuotZ5cMaDP2gmPWw81bYd 
tOTJuCqq8YGW7OpfVtdLQsy6+JD5NHoNGeBAuKtJ6VO6KGREpotedsUV 
d7w46wZYsacB+LrDYFOr4c+nsObmpR5Jn+S7GktwqCyQJmFlGGp+kVTs 
0Hm+rcD4GnBt2zZLv3DGST1BG1Ft5lRw4IzQINS4brCEo5yfsWruTJRE dDoLoA==

;; Query time: 293 msec
;; SERVER: 140.90.33.237#53(140.90.33.237) ;; WHEN: Tue Sep 19 07:38:46 AEST 
2017 ;; MSG SIZE  rcvd: 3419


In message <36f8dd297fd5504aa37968ada5ba93eb01178c1...@gnbexmb8pb.gnb.ca>, "Lev 
esque, Ricky (SNB)" writes:
> Thank you for your reply,
> When I notice too many failed queries from this domain name
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc 
> reload), seems to allow queries to work. But still latent (in the 
> 3500ms
> range)
>
> This is what I get from a DIG +trace...  the connection times out 
> every time.
> #dig +trace www.nhc.noaa.gov
>
> But if I try another domain, example: "cisco.com" it completes 
> properly #dig +trace cisco.com
>
> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS 
> servers (8.8.8.8) and the query seems to time out as well.
> # dig +trace www.nhc.noaa.gov @8.8.8.8
>
>
> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  
> +trace ;; global options: +cmd
> .                       434277  IN      NS      e.root-servers.net.
> .                       434277  IN      NS      d.root-servers.net.
> .                       434277  IN      NS      f.root-servers.net.
> .                       434277  IN      NS      a.root-servers.net.
> .                       434277  IN      NS      i.root-servers.net.
> .                       434277  IN      NS      h.root-servers.net.
> .                       434277  IN      NS      g.root-servers.net.
> .                       434277  IN      NS      l.root-servers.net.
> .                       434277  IN      NS      b.root-servers.net.
> .                       434277  IN      NS      k.root-servers.net.
> .                       434277  IN      NS      j.root-servers.net.
> .                       434277  IN      NS      c.root-servers.net.
> .                       434277  IN      NS      m.root-servers.net.
> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed 
> DNS-SRV-IP*) in 4 ms
>
> gov.                    172800  IN      NS      a.gov-servers.net.
> gov.                    172800  IN      NS      b.gov-servers.net.
> gov.                    172800  IN      NS      c.gov-servers.net.
> gov.                    172800  IN      NS      d.gov-servers.net.
> gov.                    86400   IN      DS      7698 8 1
> 6F109B46A80CEA9613DC86D5A3E065520505AAFE
> gov.                    86400   IN      DS      7698 8 2
> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
> gov.                    86400   IN      RRSIG   DS 8 1 86400
> 20171001050000 20170918040000 15768 .
> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg
> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+
> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG
> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ
> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo
> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA== ;; 
> Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms
>
> noaa.gov.               86400   IN      NS      ns-e.noaa.gov.
> noaa.gov.               86400   IN      NS      ns-mw.noaa.gov.
> noaa.gov.               86400   IN      NS      ns-nw.noaa.gov.
> noaa.gov.               3600    IN      DS      13774 5 1
> 4823D2F9C36F98D586ECCD779731F813218BD875
> noaa.gov.               3600    IN      DS      13774 5 2
> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
> noaa.gov.               3600    IN      RRSIG   DS 8 2 3600
> 20170925101007 20170918101007 21428 gov.
> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6
> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4
> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs= ;; 
> Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>
> ;; connection timed out; no servers could be reached
>
>
>
>
> -----Original Message-----
> From: bind-users mailto:bind-users-boun...@lists.isc.org On Behalf Of 
> John Miller
> Sent: September 18, 2017 11:03 AM
> Cc: bind-users@lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in 
> the chain and see which one's slow to respond.  I don't see anything 
> crazy in your named.conf.  Something you didn't mention: does clearing 
> cache make a difference?
>
> John
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
>
>
> On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB) 
> <ricky.leves...@snb.ca> wrote:
> > Good day,
> >
> > Ive been having an interesting issue with BIND and wondering if 
> > anyone
> has
> > had this before or knows how to fix it.
> >
> >
> >
> > The issue is,
> >
> > I have 2 recursive/caching DNS servers running BIND 
> > 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this 
> > particular domain.
> >
> > Noaa.gov (as well as its sub domains. Specifically  www.nhc.noaa.gov 
> > )
> >
> > By slow I mean, it takes approximately 3500ms to query while most 
> > other domains take less than 100ms to query.
> >
> > Whats worst, the domains (noaa.gov) becomes unqueriable after a few
> hours
> > or a day and I need to clear the DNS servers cache to allow it to 
> > work again.
> >
> >
> >
> > The domains have very very low TTLs (30s) and use DNSsec
> >
> >
> >
> > Error:
> >
> > ##dig www.nhc.noaa.gov
> >
> > ;; Got answer:
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
> >
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 
> > 7
> >
> >
> >
> > ;; OPT PSEUDOSECTION:
> >
> > ; EDNS: version: 0, flags:; udp: 4096
> >
> > ;; QUESTION SECTION:
> >
> > ;www.nhc.noaa.gov.              IN      A
> >
> >
> >
> >
> >
> > Fixes I have attempted so far:
> >
> > Reboot servers (2 centos servers running on vmware)
> >
> > Update system
> >
> > Try a default config file
> >
> > Updated vmware tools
> >
> > Clear DNS cache (temporary fix)
> >
> > Checked firewall for abnormal data
> >
> > Updated root hints
> >
> >
> >
> > Config:
> >
> >
> >
> > acl internal {
> >
> >         *removed*;
> >
> >        localhost;
> >
> >         };
> >
> >
> >
> > options {
> >
> >         listen-on port 53 { *removed*;
> >
> >                             127.0.0.1;
> >
> > ;
> >
> >                            };
> >
> >         listen-on-v6 port 53 { none;
> >
> >                                #::1;
> >
> >                               };
> >
> >         directory       "/var/named";
> >
> >         dump-file       "/var/named/data/cache_dump.db";
> >
> >         statistics-file "/var/named/data/named_stats.txt";
> >
> >         memstatistics-file "/var/named/data/named_mem_stats.txt";
> >
> >
> >
> >         dnssec-enable no;
> >
> >         dnssec-validation no;
> >
> >         dnssec-lookaside auto;
> >
> >
> >
> > // Conform to RFC1035
> >
> >     auth-nxdomain no;
> >
> >
> >
> > // Allowed Port Ranges
> >
> >     use-v4-udp-ports { range 32768 65535; };
> >
> >     use-v6-udp-ports { range 32768 65535; };
> >
> >     recursive-clients 15000;
> >
> >     server-id none;
> >
> >     version none;
> >
> >     interface-interval 0;
> >
> >     allow-query { internal;
> >
> >                   };
> >
> >       allow-recursion { internal;
> >
> >                       };
> >
> >      max-ncache-ttl 3600;
> >
> >      allow-query-cache { internal;
> >
> >                         };
> >
> >         };
> >
> >
> >
> > logging {
> >
> >         channel default_debug {
> >
> >                   syslog local4;
> >
> >                   severity debug;
> >
> >         };
> >
> > };
> >
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to