RE: NOAA.GOV domain not working

2017-09-19 Thread Levesque, Ricky (SNB) 
59561F0
> gov.86400   IN  RRSIG   DS 8 1 86400
> 2017100105 2017091804 15768 .
> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg
> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+
> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG
> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ
> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo
> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA== ;; 
> Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms
>
> noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
> noaa.gov.   3600IN  DS  13774 5 1
> 4823D2F9C36F98D586ECCD779731F813218BD875
> noaa.gov.   3600IN  DS  13774 5 2
> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
> noaa.gov.   3600IN  RRSIG   DS 8 2 3600
> 20170925101007 20170918101007 21428 gov.
> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6
> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4
> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs= ;; 
> Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>
> ;; connection timed out; no servers could be reached
>
>
>
>
> -Original Message-
> From: bind-users mailto:bind-users-boun...@lists.isc.org On Behalf Of 
> John Miller
> Sent: September 18, 2017 11:03 AM
> Cc: bind-users@lists.isc.org
> Subject: Re: NOAA.GOV domain not working
>
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in 
> the chain and see which one's slow to respond.  I don't see anything 
> crazy in your named.conf.  Something you didn't mention: does clearing 
> cache make a difference?
>
> John
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
>
>
> On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB) 
> <ricky.leves...@snb.ca> wrote:
> > Good day,
> >
> > Ive been having an interesting issue with BIND and wondering if 
> > anyone
> has
> > had this before or knows how to fix it.
> >
> >
> >
> > The issue is,
> >
> > I have 2 recursive/caching DNS servers running BIND 
> > 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this 
> > particular domain.
> >
> > Noaa.gov (as well as its sub domains. Specifically  www.nhc.noaa.gov 
> > )
> >
> > By slow I mean, it takes approximately 3500ms to query while most 
> > other domains take less than 100ms to query.
> >
> > Whats worst, the domains (noaa.gov) becomes unqueriable after a few
> hours
> > or a day and I need to clear the DNS servers cache to allow it to 
> > work again.
> >
> >
> >
> > The domains have very very low TTLs (30s) and use DNSsec
> >
> >
> >
> > Error:
> >
> > ##dig www.nhc.noaa.gov
> >
> > ;; Got answer:
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
> >
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 
> > 7
> >
> >
> >
> > ;; OPT PSEUDOSECTION:
> >
> > ; EDNS: version: 0, flags:; udp: 4096
> >
> > ;; QUESTION SECTION:
> >
> > ;www.nhc.noaa.gov.  IN  A
> >
> >
> >
> >
> >
> > Fixes I have attempted so far:
> >
> > Reboot servers (2 centos servers running on vmware)
> >
> > Update system
> >
> > Try a default config file
> >
> > Updated vmware tools
> >
> > Clear DNS cache (temporary fix)
> >
> > Checked firewall for abnormal data
> >
> > Updated root hints
> >
> >
> >
> > Config:
> >
> >
> >
> > acl internal {
> >
> > *removed*;
> >
> >localhost;
> >
> > };
> >
> >
> >
> > options {
> >
> > listen-on port 53 { *removed*;
> >
> > 127.0.0.1;
> >
> > ;
> >
> >};
> >
> > listen-on-v6 port 53 { none;
> >
> >#::1;
> >
> >   };
> >
> > directory   "/var/named";
> >
> > dump-file   "/var/named/data/cache_dump.db";
> >
> > statistics-file "/var/named/data/name

RE: NOAA.GOV domain not working

2017-09-18 Thread Levesque, Ricky (SNB) 
Thanks Warren,
I can query all the noaa.gov name servers without issues, and the replies are 
fast (sub 100ms)

-Original Message-
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: September 18, 2017 12:06 PM
To: Levesque, Ricky (SNB) <ricky.leves...@snb.ca>
Cc: John Miller <johnm...@brandeis.edu>; bind-users@lists.isc.org
Subject: Re: NOAA.GOV domain not working

On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB) <ricky.leves...@snb.ca> 
wrote:
> Thank you for your reply,
> When I notice too many failed queries from this domain name 
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc 
> reload), seems to allow queries to work. But still latent (in the 
> 3500ms range)
>
> This is what I get from a DIG +trace...  the connection times out every time.
> #dig +trace www.nhc.noaa.gov
>
> But if I try another domain, example: "cisco.com" it completes 
> properly #dig +trace cisco.com
>
> As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
> (8.8.8.8) and the query seems to time out as well.
> # dig +trace www.nhc.noaa.gov @8.8.8.8
>
>
> ; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  
> +trace ;; global options: +cmd
> .   434277  IN  NS  e.root-servers.net.
> .   434277  IN  NS  d.root-servers.net.
> .   434277  IN  NS  f.root-servers.net.
> .   434277  IN  NS  a.root-servers.net.
> .   434277  IN  NS  i.root-servers.net.
> .   434277  IN  NS  h.root-servers.net.
> .   434277  IN  NS  g.root-servers.net.
> .   434277  IN  NS  l.root-servers.net.
> .   434277  IN  NS  b.root-servers.net.
> .   434277  IN  NS  k.root-servers.net.
> .   434277  IN  NS  j.root-servers.net.
> .   434277  IN  NS  c.root-servers.net.
> .   434277  IN  NS  m.root-servers.net.
> ;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed 
> DNS-SRV-IP*) in 4 ms
>
> gov.172800  IN  NS  a.gov-servers.net.
> gov.172800  IN  NS  b.gov-servers.net.
> gov.172800  IN  NS  c.gov-servers.net.
> gov.172800  IN  NS  d.gov-servers.net.
> gov.86400   IN  DS  7698 8 1 
> 6F109B46A80CEA9613DC86D5A3E065520505AAFE
> gov.86400   IN  DS  7698 8 2 
> 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
> gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
> 2017091804 15768 . 
> TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
> /7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
> 4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
> 0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
> BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
> QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
> ;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 
> ms
>
> noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
> noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
> noaa.gov.   3600IN  DS  13774 5 1 
> 4823D2F9C36F98D586ECCD779731F813218BD875
> noaa.gov.   3600IN  DS  13774 5 2 
> C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
> noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
> 20170918101007 21428 gov. 
> UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
> 0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
> oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
> ;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms
>
> ;; connection timed out; no servers could be reached
>

Huh. Weird.

Try:
dig  www.nhc.noaa.gov @ns-e.noaa.gov.
dig  www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  www.nhc.noaa.gov @ns-nw.noaa.gov.

and:
dig  -4 www.nhc.noaa.gov @ns-e.noaa.gov.
dig  -4 www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  -4 www.nhc.noaa.gov @ns-nw.noaa.gov.

and
dig  +tcp www.nhc.noaa.gov @ns-e.noaa.gov.
dig  +tcp www.nhc.noaa.gov @ns-mw.noaa.gov.
dig  +tcp www.nhc.noaa.gov @ns-nw.noaa.gov.


and also:
traceroute ns-e.noaa.gov.
traceroute ns-mw.noaa.gov.
traceroute ns-nw.noaa.gov.


What address range are you coming from? It sounds like you cannot reach the 
noaa.gov nameservers (or they canno

RE: NOAA.GOV domain not working

2017-09-18 Thread Levesque, Ricky (SNB) 
Thank you for your reply,
When I notice too many failed queries from this domain name (www.nhc.noaa.gov) 
restarting the service or clearing the cache (rndc reload), seems to allow 
queries to work. But still latent (in the 3500ms range)

This is what I get from a DIG +trace...  the connection times out every time.
#dig +trace www.nhc.noaa.gov

But if I try another domain, example: "cisco.com" it completes properly
#dig +trace cisco.com

As another test, I ran a trace for www.nhc.noaa.gov on Googles DNS servers 
(8.8.8.8) and the query seems to time out as well.
# dig +trace www.nhc.noaa.gov @8.8.8.8


; <<>> DiG 9.11.0-P1 <<>> www.nhc.noaa.gov @*removed DNS-SRV-IP*  +trace
;; global options: +cmd
.   434277  IN  NS  e.root-servers.net.
.   434277  IN  NS  d.root-servers.net.
.   434277  IN  NS  f.root-servers.net.
.   434277  IN  NS  a.root-servers.net.
.   434277  IN  NS  i.root-servers.net.
.   434277  IN  NS  h.root-servers.net.
.   434277  IN  NS  g.root-servers.net.
.   434277  IN  NS  l.root-servers.net.
.   434277  IN  NS  b.root-servers.net.
.   434277  IN  NS  k.root-servers.net.
.   434277  IN  NS  j.root-servers.net.
.   434277  IN  NS  c.root-servers.net.
.   434277  IN  NS  m.root-servers.net.
;; Received 811 bytes from *removed DNS-SRV-IP* #53(*removed DNS-SRV-IP*) in 4 
ms

gov.172800  IN  NS  a.gov-servers.net.
gov.172800  IN  NS  b.gov-servers.net.
gov.172800  IN  NS  c.gov-servers.net.
gov.172800  IN  NS  d.gov-servers.net.
gov.86400   IN  DS  7698 8 1 
6F109B46A80CEA9613DC86D5A3E065520505AAFE
gov.86400   IN  DS  7698 8 2 
6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
gov.86400   IN  RRSIG   DS 8 1 86400 2017100105 
2017091804 15768 . TwWja3x0St/rN8/hvlzI88QouBcsarUYFdo1w73NROAmztwC+I24SyIg 
/7zygGfvtZtaD4m/ebnS93V0l7Kb7+cP3V/u4Icd0r2U/ub/p0aCqqw+ 
4Yc449qZCI04LPSq5q6wnCEI4dK+sSH9RBoLhJ08Obol6+YfHR9zvBSG 
0x1+t99i/xSICyHnh/Mcr4Q+7p7Cl+EdgwG8TQIqTOq/qi0n4oTuGixJ 
BTpcZB5/dhk8oJbPfBiqJDJ6uFQJ5r/kMGYRp9440HaY3BvQ7bqjOHNo 
QfRybJEv45KZL4mCBGt9HZLkrHqT6Wz4wKflyLlr7JIS7eDzNlraMcqF D9wTaA==
;; Received 671 bytes from 193.0.14.129#53(k.root-servers.net) in 64 ms

noaa.gov.   86400   IN  NS  ns-e.noaa.gov.
noaa.gov.   86400   IN  NS  ns-mw.noaa.gov.
noaa.gov.   86400   IN  NS  ns-nw.noaa.gov.
noaa.gov.   3600IN  DS  13774 5 1 
4823D2F9C36F98D586ECCD779731F813218BD875
noaa.gov.   3600IN  DS  13774 5 2 
C0500C34A55DC61290B397E995A618337594694117A4A667FD3CEF27 EA23AC63
noaa.gov.   3600IN  RRSIG   DS 8 2 3600 20170925101007 
20170918101007 21428 gov. 
UUOtQnMJgAZQAPS0J259CtXri0WyuDnJsdA5Glqt7FUAnvOFXNCEO8K6 
0Kpyp/JHSM6hfeWKoAW3P0IaEeY+nYm91jdZ1Z214sWpiGmjvtE46KV4 
oVwvwnhyMjqI6gIZ9tTmm67iKz5E4UF524d/liZL9RMqSoy5uL94VUSm tSs=
;; Received 483 bytes from 69.36.157.30#53(a.gov-servers.net) in 49 ms

;; connection timed out; no servers could be reached




-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John 
Miller
Sent: September 18, 2017 11:03 AM
Cc: bind-users@lists.isc.org
Subject: Re: NOAA.GOV domain not working

Hi Ricky,

Try running a "dig +trace www.nhc.noaa.gov," then query each record in the 
chain and see which one's slow to respond.  I don't see anything crazy in your 
named.conf.  Something you didn't mention: does clearing cache make a 
difference?

John
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu


On Mon, Sep 18, 2017 at 8:03 AM, Levesque, Ricky (SNB)
<ricky.leves...@snb.ca> wrote:
> Good day,
>
> I’ve been having an interesting issue with BIND and wondering if anyone has
> had this before or knows how to fix it.
>
>
>
> The issue is,
>
> I have 2 recursive/caching DNS servers running BIND
> 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this particular
> domain.
>
> Noaa.gov (as well as its sub domains. Specifically – www.nhc.noaa.gov )
>
> By slow I mean, it takes approximately 3500ms to query while most other
> domains take less than 100ms to query.
>
> What’s worst, the domains (noaa.gov) becomes unqueriable after a few hours
> or a day and I need to clear the DNS servers cache to allow it to work
> again.
>
>
>
> The domains have very very low TTL’s (30s) and use DNSs

NOAA.GOV domain not working

2017-09-18 Thread Levesque, Ricky (SNB) 
Good day,
I've been having an interesting issue with BIND and wondering if anyone has had 
this before or knows how to fix it.

The issue is,
I have 2 recursive/caching DNS servers running BIND 9.9.4-RedHat-9.9.4-51.el7, 
which are slow to query for this particular domain.
Noaa.gov (as well as its sub domains. Specifically - 
www.nhc.noaa.gov )
By slow I mean, it takes approximately 3500ms to query while most other domains 
take less than 100ms to query.
What's worst, the domains (noaa.gov) becomes unqueriable after a few hours or a 
day and I need to clear the DNS servers cache to allow it to work again.

The domains have very very low TTL's (30s) and use DNSsec

Error:
##dig www.nhc.noaa.gov
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52364
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 3, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.nhc.noaa.gov.  IN  A


Fixes I have attempted so far:
Reboot servers (2 centos servers running on vmware)
Update system
Try a default config file
Updated vmware tools
Clear DNS cache (temporary fix)
Checked firewall for abnormal data
Updated root hints

Config:

acl internal {
*removed*;
   localhost;
};

options {
listen-on port 53 { *removed*;
127.0.0.1;
;
   };
listen-on-v6 port 53 { none;
   #::1;
  };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;

// Conform to RFC1035
auth-nxdomain no;

// Allowed Port Ranges
use-v4-udp-ports { range 32768 65535; };
use-v6-udp-ports { range 32768 65535; };
recursive-clients 15000;
server-id none;
version none;
interface-interval 0;
allow-query { internal;
  };
  allow-recursion { internal;
  };
 max-ncache-ttl 3600;
 allow-query-cache { internal;
};
};

logging {
channel default_debug {
  syslog local4;
  severity debug;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users