Re: How do I debug if the queries are not getting resolved?

[Greg Choules via bind-users]

Hello.
There are well known and documented issues with the zone "gov.in" and there
were some recent problems with "gov" as well.
Please search this mailing list archive for those domains and you may find
some useful hints, tips and information that explain and help you with your
own problem.

Cheers, Greg

On Tue, 12 Dec 2023 at 00:48, Blason R  wrote:

> Oh I forgot to tell you that. This is BIND RPZ and all the queries are
> recursive.
>
> Dig output just dies out and does not spit anything.
>
> And this specifically i noticed with .gov and .gov.in domain. This is the
> reason I thing it might be related with DNSSEC.
>
> Also wanted to understand overall how do I debug any queries.
>
> On Tue, Dec 12, 2023, 00:28 Marco Moock  wrote:
>
>> Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R:
>>
>> > I require assistance in troubleshooting the resolution issue for
>> > specific domains that are not being resolved properly. The version of
>> > BIND I am currently using is BIND 9.18.20-1.
>>
>> First, tell us if those queries are authoritative on that server or not.
>>
>> Try using dig and post the output here.
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I debug if the queries are not getting resolved?

[Grant Taylor via bind-users]

On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are 
recursive.


Okay, what RPZ configuration do you have?  Is it messing with the 
queries you're testing in any way?


What configuration do you have for RPZ related to DNSSEC?


Dig output just dies out and does not spit anything.


Please elaborate on "just dies".  Does the dig abort / terminate / fail 
and immediately return you to a command prompt?  Or does it simply take 
longer than you are allowing it to run?


What happens if you allow dig to run for 5-8 minutes?  It should timeout 
sometime long before 8 minutes and print something germane to the terminal.


I think that a network sniffer while running dig tests above is a very 
helpful thing.  #trustTheBitsOnTheWire


And this specifically i noticed with .gov and .gov.in  
domain. This is the reason I thing it might be related with DNSSEC.


RPZ and DNSSEC have an interesting relationship.

What happens if you do a `\dig +trace` on the name you're testing?

N.B. the leading backslash is important to disable any local shell aliasing.

Also, `which dig` to confirm that you are running the binary that you 
think you are running.



Also wanted to understand overall how do I debug any queries.


Something somewhere will give you diagnostically relevant data.  You 
need to find it and understand it.  Even strace / dtrace on dig will be 
helpful at times.


There's a possibility that there is a missing library and dig can't even 
run.  But that's unlikely -- but not impossible -- with dig installed 
via standard repo commands.




--
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I debug if the queries are not getting resolved?

[stuart@registry.godaddy]

> Subject: Re: How do I debug if the queries are not getting resolved?
> 
> Oh I forgot to tell you that. This is BIND RPZ and all the queries are 
> recursive. 
> 
> Dig output just dies out and does not spit anything.
> 
> And this specifically i noticed with .gov and .gov.in domain. This is the 
> reason I thing it might be related with DNSSEC.

Given that there's no implicit RPZ related to .gov or .gov.in, can you please 
provide us with some concreate examples of what you're trying to achieve?

> Also wanted to understand overall how do I debug any queries.

What you've described so far is the inability to reach your recursing name 
server, i.e. the very first step.

You've not mentioned what OS you're doing these tests from, so we can't direct 
you with specifics, just very broad and imprecise steps.

Namely:

- Check what name server your host is configured to use.
- Using the "dig" command with a "@[ip-address]", verify that you can actually 
ask that server queries. i.e.

dig @127.0.0.1 www.google.com. IN A

- Verify that you're asking a correct question by looking at the "Question" 
section of the output. i.e. 

;; QUESTION SECTION:
;www.google.com. IN A

- Verify that the response you received is not an error of some kind, i.e.:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

- If you're the one running the recursing name server, verify that no errors 
occurred in the log files.

Etc.

For us to help you further, please give us specific information, otherwise 
we're just fishing around to try give you relevant information.

> On Tue, Dec 12, 2023, 00:28 Marco Moock  > wrote:
> Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R:
> 
> > I require assistance in troubleshooting the resolution issue for
> > specific domains that are not being resolved properly. The version of
> > BIND I am currently using is BIND 9.18.20-1.
> 
> First, tell us if those queries are authoritative on that server or not.
> 
> Try using dig and post the output here.
> -- 

Stuart

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I debug if the queries are not getting resolved?

[Blason R]

Oh I forgot to tell you that. This is BIND RPZ and all the queries are
recursive.

Dig output just dies out and does not spit anything.

And this specifically i noticed with .gov and .gov.in domain. This is the
reason I thing it might be related with DNSSEC.

Also wanted to understand overall how do I debug any queries.

On Tue, Dec 12, 2023, 00:28 Marco Moock  wrote:

> Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R:
>
> > I require assistance in troubleshooting the resolution issue for
> > specific domains that are not being resolved properly. The version of
> > BIND I am currently using is BIND 9.18.20-1.
>
> First, tell us if those queries are authoritative on that server or not.
>
> Try using dig and post the output here.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I debug if the queries are not getting resolved?

[Marco Moock]

Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R:

> I require assistance in troubleshooting the resolution issue for
> specific domains that are not being resolved properly. The version of
> BIND I am currently using is BIND 9.18.20-1.

First, tell us if those queries are authoritative on that server or not.

Try using dig and post the output here.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How do I debug if the queries are not getting resolved?

[Blason R]

Hi Guys,

I require assistance in troubleshooting the resolution issue for specific
domains that are not being resolved properly. The version of BIND I am
currently using is BIND 9.18.20-1.

TIA
Blason R
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users