Re: DNS server works but keep getting host unreachable resolving error
On 21.09.09 19:26, Shi Jin wrote: I've confirmed that the problem is firewall related. I've replaced my current Untangle firewall with a simplest Linux NAT iptables firewall and everything works perfectly, without any complains. I'd say it was bad configuration, not necessarily a bad firewall. The tcpdump would help us, unless you are satisfied with using linux iptables... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS server works but keep getting host unreachable resolving error
Hi there,
I've setup a DNS server running bind9 in my LAN and set it up to ISP provided
DNS servers as the forwarders. Currently this DNS server works in the sense
both internal and external names are resolved without any problem. However, for
each DNS query, the syslog shows entries of
dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN':
216.171.238.66#53
Where the IP 216.171.238.66 is the ISP provided DNS server.
My named.conf.options looks like
forwarders {
216.171.238.66;
216.171.238.67;
};
listen-on-v6 { none; };
When I run dig, I get
/etc/bind# dig
; DiG 9.5.1-P2
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48733
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 435420 IN NS K.ROOT-SERVERS.NET.
. 435420 IN NS A.ROOT-SERVERS.NET.
. 435420 IN NS H.ROOT-SERVERS.NET.
. 435420 IN NS M.ROOT-SERVERS.NET.
. 435420 IN NS E.ROOT-SERVERS.NET.
. 435420 IN NS J.ROOT-SERVERS.NET.
. 435420 IN NS D.ROOT-SERVERS.NET.
. 435420 IN NS L.ROOT-SERVERS.NET.
. 435420 IN NS G.ROOT-SERVERS.NET.
. 435420 IN NS F.ROOT-SERVERS.NET.
. 435420 IN NS B.ROOT-SERVERS.NET.
. 435420 IN NS C.ROOT-SERVERS.NET.
. 435420 IN NS I.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 521820 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 521820 IN 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 297362 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 297362 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 297362 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 297362 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 347113 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 521820 IN 2001:500:2f::f
G.ROOT-SERVERS.NET. 297362 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 297362 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 297362 IN 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 297362 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 330463 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 330463 IN 2001:503:c27::2:30
;; Query time: 0 msec
;; SERVER: 192.168.1.127#53(192.168.1.127)
;; WHEN: Mon Sep 21 14:11:54 2009
;; MSG SIZE rcvd: 500
The IP 192.168.1.127 is the IP address of the LAN DNS server I've setup.
The has NAT firewall enabled so it is able to access to the ISP provided DNS
server directly. However, it looks to me like the ISP provided DNS server
(216.171.238.66) was not able to resolve any of the names and all the resolving
is done at the top level servers. Is my understanding correct?
More importantly, is this the correct behavior I should expect and how to I
solve the host unreachable resolving problem?
I appreciate you help. Thank you very much.
--
Shi Jin, PhD
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS server works but keep getting host unreachable resolving error
On Montag 21 September 2009 Shi Jin wrote: However, it looks to me like the ISP provided DNS server (216.171.238.66) was not able to resolve any of the names and all the resolving is done at the top level servers. Is my understanding correct? Try dig @216.171.238.66 hp.com to see if the .66 host answers to your queries. Maybe you got a wrong IP there? Try the same for .67, the other DNS. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS server works but keep getting host unreachable resolving error
In message 865284.37771...@web36203.mail.mud.yahoo.com, Shi Jin writes: host unreachable is one of the clearer error messages, so you need to do some digging. From the box that you've set up bind9 on you'll need to use dig to query the ISP's name servers. If that works, then you'll have to use tcpdump on that box to find out what named is doing. Doug Thank you very much. Your suggestion to use tcpdump actually is very helpful. It clearly shows: ICMP host 216.171.238.67 unreachable - admin prohibited, length 87 Yet you claim that dig to 216.171.238.67 works. I think you need to provide a full trace not the summary that a plain tcpdump gives. Add -Xvvv to the set of flags you used with tcpdump. So I think this most likely has to do with the firewall setup. Probably I should enable ICMP redirect? Could anyone confirm? And is this safe? Thank you very much. Shi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS server works but keep getting host unreachable resolving error
Thank you all. I've confirmed that the problem is firewall related. I've replaced my current Untangle firewall with a simplest Linux NAT iptables firewall and everything works perfectly, without any complains. Thank you very much for your kind help/suggestions. Shi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
