Re: [qmailtoaster] re: delay

Eric Shubert Tue, 22 Sep 2009 17:10:05 -0700

Maxwell Smart wrote:


Eric Shubert wrote:

Maxwell Smart wrote:

Eric,

Eric Shubert wrote:

Maxwell Smart wrote:

Eric,

Yes, they are there and constant with 127.0.0.1 in the first
position of
my resolv.conf file.  If I move it back to the last position it's ok.

It's not really ok. It's just that the DNS server(s) before it in the
list are handling the requests, so it never gets to 127.0.0.1, which
is your localhost DNS server.

OK, but it's then going through the ISP's servers anyways just in a

round about way.

Not unless you deliberately set it up that way. With a typical
caching/resolving nameserver, DNS requests will not hit the ISP's
server at all.

Where does it resolve to then?  How does it resolve addresses?


The root authoritative servers by default.

The dig command (man dig) is handy for troubleshooting DNS problems.

You might try:
# dig @127.0.0.1 google.com
and see what you get. I'm guessing that you'll get an error of some
sort (the command will work, but the result of the lookup will fail).

Dig worked fine, no error.

Did it return an answer section with a result in it? dig won't show a
glaring error. You need to know what to look for.

[r...@laetitia smtp]# dig 127.0.0.1 google.com

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24685

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;127.0.0.1.                     IN      A

;; AUTHORITY

SECTION:

.                       1457    IN      SOA     A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2009092201 1800 900 604800

86400

;; Query time: 143 msec
;; SERVER: 206.13.30.12#53(206.13.30.12)

;; WHEN: Tue Sep 22 15:01:29 2009;; MSG SIZE rcvd: 102


; <<>> DiG 9.3.4-P1 <<>> 127.0.0.1 google.com

;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61092

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             17      IN      A       74.125.127.100
google.com.             17      IN      A       74.125.67.100
google.com.             17      IN      A       74.125.45.100

;; Query time: 145 msec
;; SERVER: 206.13.30.12#53(206.13.30.12)

;; WHEN: Tue Sep 22 15:01:29 2009;; MSG SIZE rcvd: 76


That command was:
# dig @127.0.0.1 google.com

The @127.0.0.1 tells dig to use 127.0.0.1 as the resolver, bypassingwhat you have in the /etc/resolv.conf file.

Your command did succeed, but it was resolved by 206.13.30.12, not thenameserver on your toaster (127.0.0.1).

Ideas on how to begin to troubleshoot?  I remember someone on the
list a
few days ago experiencing the same issue, but paid little attention
then.

IIRC you said earlier that this is a secondary to your authoritative
server. It's generally considered a bad practice to have a DNS server
configured to handle both authoritative and resolver requests. It can
be done, but you'd better know what you're doing.

If it's ok to blow away your secondary DNS, I would:
# yum remove bind
# yum install chroot-bind caching-nameserver
then try moving 127.0.0.1 to the top of /etc/resolv.conf again.

I have a master DNS server (ns1) which is authoritative and a slave

(ns2) which is also a web and e mail server.

It'd be better to have a caching/resolving DNS server on the web/email
host. The email server will use the resolving DNS server fairly
heavily.  Better to put the slave DNS on a different host.

So remove the nameserver 64.168.70.132 entry in the resolve.conf file?

Absolutely. Authoritative servers should never be listed in the
resolv.conf file.

OK, I've removed these from the file.

The other problem is this was all working just fine until about a week
or so ago.  I don't know why I would have to start changing my DNS when
it was working fine.  There is no reason this should have changed.  I
did however update my toaster.

I don't know what all changed, but updating the toaster should not
have caused this problem. I think that is coincidental.

Best guess at this point is that your ISP's DNS was/is having
problems. We've recommended using a caching nameserver on the toaster,
which will keep your ISP's DNS from detrimentally affecting your
toaster. Unfortunately, you already had a secondary DNS server running
on your toaster, which is not a recommended configuration. It is
possible to configure bind on your toaster to do both secondary
authoritative and resolving, but that's beyond what we can do for you
here.

OK,  are you saying to not use it as my secondary DNS server?


That would be best.

CJ

---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and installations.
      If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
     Please visit qmailtoaster.com for the latest news, updates, and packages.

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



--
-Eric 'shubes'


---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] re: delay

Reply via email to