Re: System Resolver Test App?
On Thu, 12 Nov 2009 01:48:02 -0500, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.971.1257996722.14796.bind-us...@lists.isc.org, da...@from525.com da...@from525.com wrote: I think between Stephane's test app and some snoop data I have a better idea of what is going on. It seems as if the local resolver starts by issuing ipv6 requests to the three name servers mentioned in resolv.conf. Do you mean that it's issuing requests using IPv6, or it's using IPv4 to send requests for records? The latter. Using IPv4 to send requests for records. The first two valid DNS servers (not configured for ipv6) each respond back stating they are not authoritative for the domain in question causing the subsequent servers to be queried. The resolver finds itself querying Which servers are you talking about now, the servers in resolv.conf, or the servers for the domain you're querying? The latter should not respond that they're not authoritative. Authority is not specific to IP versions, it just goes by names. A server is either authoritative for foo.com or it isn't, it can't be authoritative for foo.com's IPv4 data but not for its IPv6 data. I was talking about the servers mentioned in the resolv.conf. So here goes a second try,. There are (were) three servers mentioned in the resolv.conf. We can reference them going forward as nameserver1, nameserver2 nameserver3. Nameserver3 is a bogus invalid IP belonging to nothing, while nameserver1 nameserver2 are legitimate nameservers. Now it is important to know that the resource record that was causing issue while attempting to query is a CNAME to another resource record. The other resource record lives in DNS space that has been delegated out. In this case it has been delegated out to a Citrix Netscaler load balancing device. I believe the issue to actually be the fault of the Netscaler as it seems as if it does not handle the records as it should. When the initial query is issued to the local resolver snoop data shows that both nameserver1 namserver2 send a response back with an error message of Server failure (when the record is requested). The error message then triggers the loop of subsequent queries and creates the delays until the resolver issues the query for the A record. At this point everything works as normal. I plan to do some more tests to confirm my theory on the Netscaler. Please let me know if I am just talking nonsense,.. the third bogus name server and has to wait for the 5 second time out. The resolver then repeats the whole process for ipv6 adding another 5 seconds to the delay (total of 10 now). The resolver then finally starts the whole process again for ipv4 and gets the proper answer with the first query. If you're not actually using IPv6, you might consider disabling it on your system. That should stop all the unnecessary v6 lookups. It is not my system. I was just brought in to help find the issue. I can suggest this to the proper system admin. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Thu, 12 Nov 2009 08:04:35 -0600, da...@from525.com da...@from525.com wrote: On Thu, 12 Nov 2009 01:48:02 -0500, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.971.1257996722.14796.bind-us...@lists.isc.org, da...@from525.com da...@from525.com wrote: I think between Stephane's test app and some snoop data I have a better idea of what is going on. It seems as if the local resolver starts by issuing ipv6 requests to the three name servers mentioned in resolv.conf. Do you mean that it's issuing requests using IPv6, or it's using IPv4 to send requests for records? The latter. Using IPv4 to send requests for records. The first two valid DNS servers (not configured for ipv6) each respond back stating they are not authoritative for the domain in question causing the subsequent servers to be queried. The resolver finds itself querying Which servers are you talking about now, the servers in resolv.conf, or the servers for the domain you're querying? The latter should not respond that they're not authoritative. Authority is not specific to IP versions, it just goes by names. A server is either authoritative for foo.com or it isn't, it can't be authoritative for foo.com's IPv4 data but not for its IPv6 data. I was talking about the servers mentioned in the resolv.conf. So here goes a second try,. There are (were) three servers mentioned in the resolv.conf. We can reference them going forward as nameserver1, nameserver2 nameserver3. Nameserver3 is a bogus invalid IP belonging to nothing, while nameserver1 nameserver2 are legitimate nameservers. Now it is important to know that the resource record that was causing issue while attempting to query is a CNAME to another resource record. The other resource record lives in DNS space that has been delegated out. In this case it has been delegated out to a Citrix Netscaler load balancing device. I believe the issue to actually be the fault of the Netscaler as it seems as if it does not handle the records as it should. When the initial query is issued to the local resolver snoop data shows that both nameserver1 namserver2 send a response back with an error message of Server failure (when the record is requested). The error message then triggers the loop of subsequent queries and creates the delays until the resolver issues the query for the A record. At this point everything works as normal. I plan to do some more tests to confirm my theory on the Netscaler. Please let me know if I am just talking nonsense,.. the third bogus name server and has to wait for the 5 second time out. The resolver then repeats the whole process for ipv6 adding another 5 seconds to the delay (total of 10 now). The resolver then finally starts the whole process again for ipv4 and gets the proper answer with the first query. If you're not actually using IPv6, you might consider disabling it on your system. That should stop all the unnecessary v6 lookups. It is not my system. I was just brought in to help find the issue. I can suggest this to the proper system admin. All, I have confirmed the issue with the Citrix Netscaler and records which is documented at the link bellow. Thanks for everyone's help figuring this out. http://support.citrix.com/article/CTX117947 Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
In article mailman.961.1257980410.14796.bind-us...@lists.isc.org, da...@from525.com da...@from525.com wrote: All, It has been a long day so please excuse me if I am over looking something trivial. I am wondering if anyone knows of an app similar to nslookup or dig that actually uses the system resolver. I spent a decent amount of time this morning trouble shooting an issue where a third invalid nameserver entry within the /etc/resolv.conf (CentOS) cause me much grief. My trusty tools nslookup dig failed me because they worked as expected while the system resolver did not. I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two working DNS servers first. I'm not sure if there is one, but it should be pretty easy to write a program that calls res_query(). But it doesn't seem like this would be much help in troubleshooting, because when it gets an error you won't be able to tell why. There's no way for it to indicate that the error is because it was stuck on the third server. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Wed, Nov 11, 2009 at 05:00:03PM -0600, da...@from525.com da...@from525.com wrote a message of 60 lines which said: I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two working DNS servers first. tcpdump ? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Wed, Nov 11, 2009 at 07:44:05PM -0500, Barry Margolin bar...@alum.mit.edu wrote a message of 27 lines which said: I'm not sure if there is one, but it should be pretty easy to write a program that calls res_query(). But this calls directly the DNS. The OP wanted something which called the system resolver, which means getaddrinfo(), not res_query(). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Wed, Nov 11, 2009 at 05:00:03PM -0600, da...@from525.com da...@from525.com wrote a message of 60 lines which said: I am wondering if anyone knows of an app similar to nslookup or dig that actually uses the system resolver. C source attached. Compile, for instance, with: gcc -o resolve-name resolve-name.c I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two working DNS servers first. Not sure it will help. #include stdbool.h #include stdlib.h #include unistd.h #include stdio.h #include string.h #include sys/types.h #include sys/socket.h #include netdb.h #include arpa/inet.h #include errno.h #include netinet/in.h #include netinet/ip.h #include netinet/ip6.h #define MAXHOSTNAMELEN 256 charprogname[MAXHOSTNAMELEN + 1]; void usage() { fprintf(stderr, Usage: %s hostname\n, progname); } char * text_of(struct sockaddr *address) { char *text = malloc(INET6_ADDRSTRLEN); struct sockaddr_in6 *address_v6; struct sockaddr_in *address_v4; if (address-sa_family == AF_INET6) { address_v6 = (struct sockaddr_in6 *) address; inet_ntop(AF_INET6, address_v6-sin6_addr, text, INET6_ADDRSTRLEN); } else if (address-sa_family == AF_INET) { address_v4 = (struct sockaddr_in *) address; inet_ntop(AF_INET, address_v4-sin_addr, text, INET_ADDRSTRLEN); } else { return ([Unknown family address]); } return text; } int main(int argc, char **argv) { charhostname[MAXHOSTNAMELEN + 1]; struct addrinfo hints_numeric, hints; struct addrinfo *result, *hostref; int status; strncpy(progname, argv[0], MAXHOSTNAMELEN); progname[MAXHOSTNAMELEN] = 0; if (argc != 2) { usage(); exit(1); } strncpy(hostname, argv[1], MAXHOSTNAMELEN); hostname[MAXHOSTNAMELEN] = 0; /* RFC 1123 says we must try IP addresses first */ memset(hints_numeric, 0, sizeof(hints_numeric)); hints_numeric.ai_flags = AI_NUMERICHOST; hints_numeric.ai_socktype = SOCK_STREAM; result = malloc(sizeof(struct addrinfo)); status = getaddrinfo(hostname, NULL, hints_numeric, result); if (!status) { fprintf(stdout, %s is an IP address\n, hostname); } else { if (status == EAI_NONAME) { /* Not an IP address */ memset(hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; result = malloc(sizeof(struct addrinfo)); status = getaddrinfo(hostname, NULL, hints, result); if (status) { fprintf(stderr, Nothing found about host name %s\n, hostname); abort(); } } else { fprintf(stderr, Internal error, cannot resolve %s (error %i)\n, hostname, status); abort(); } fprintf(stdout, Address(es) of %s is(are):, hostname); fprintf(stdout, %s , text_of(result-ai_addr)); for (hostref = result-ai_next; hostref != NULL; hostref = hostref-ai_next) { fprintf(stdout, %s , text_of(hostref-ai_addr)); } fprintf(stdout, \n); } exit(0); } ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
In article mailman.966.1257988033.14796.bind-us...@lists.isc.org, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Wed, Nov 11, 2009 at 07:44:05PM -0500, Barry Margolin bar...@alum.mit.edu wrote a message of 27 lines which said: I'm not sure if there is one, but it should be pretty easy to write a program that calls res_query(). But this calls directly the DNS. The OP wanted something which called the system resolver, which means getaddrinfo(), not res_query(). Considering the problem he was trying to solve, I didn't think he cared about things like /etc/hosts, he just wants to exercise the DNS stub resolver. If you just want to do a hostname lookup, you can use practically any network application, e.g. ping. And how would you use getaddrinfo() to test MX lookups, for instance? -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Wed, Nov 11, 2009 at 08:14:02PM -0500, Barry Margolin bar...@alum.mit.edu wrote a message of 24 lines which said: If you just want to do a hostname lookup, you can use practically any network application, e.g. ping. It gives you less information than the program I posted. 1) On typical OS, ping forces you to choose explicitely IPv4 or IPv6. In that respect, telnet is better than ping for this test. 2) You see only the first IP address, not the full list. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Thu, 12 Nov 2009 10:01:38 +0900, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Wed, Nov 11, 2009 at 05:00:03PM -0600, da...@from525.com da...@from525.com wrote a message of 60 lines which said: I am wondering if anyone knows of an app similar to nslookup or dig that actually uses the system resolver. C source attached. Compile, for instance, with: gcc -o resolve-name resolve-name.c I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two working DNS servers first. Not sure it will help. Stephane, Thanks for that bit of c it works great and does just what I was hoping for. I was able to reproduce the almost 13 second delay while looking up a specific hostname. Funny thing is, when I perform other queries for other hostnames the third invalid DNS server mentioned in the resolv.conf does not seem to be a problem. When I remove the third invalid entry and perform the same query with your application the delay is non existent. I have captured previous tcpdumps and didn't notice anything out of the norm, but there was alot of other network chatter. The app should let me capture a more concise tcpdump for further examination. Is there any way you could incorporate resolver errors being sent to stdout? Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
http://www.reedmedia.net/software/gethost/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Wed, 11 Nov 2009 20:06:11 -0600, da...@from525.com da...@from525.com wrote: On Thu, 12 Nov 2009 10:01:38 +0900, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Wed, Nov 11, 2009 at 05:00:03PM -0600, da...@from525.com da...@from525.com wrote a message of 60 lines which said: I am wondering if anyone knows of an app similar to nslookup or dig that actually uses the system resolver. C source attached. Compile, for instance, with: gcc -o resolve-name resolve-name.c I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two working DNS servers first. Not sure it will help. Stephane, Thanks for that bit of c it works great and does just what I was hoping for. I was able to reproduce the almost 13 second delay while looking up a specific hostname. Funny thing is, when I perform other queries for other hostnames the third invalid DNS server mentioned in the resolv.conf does not seem to be a problem. When I remove the third invalid entry and perform the same query with your application the delay is non existent. I have captured previous tcpdumps and didn't notice anything out of the norm, but there was alot of other network chatter. The app should let me capture a more concise tcpdump for further examination. Is there any way you could incorporate resolver errors being sent to stdout? Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Thanks All, I think between Stephane's test app and some snoop data I have a better idea of what is going on. It seems as if the local resolver starts by issuing ipv6 requests to the three name servers mentioned in resolv.conf. The first two valid DNS servers (not configured for ipv6) each respond back stating they are not authoritative for the domain in question causing the subsequent servers to be queried. The resolver finds itself querying the third bogus name server and has to wait for the 5 second time out. The resolver then repeats the whole process for ipv6 adding another 5 seconds to the delay (total of 10 now). The resolver then finally starts the whole process again for ipv4 and gets the proper answer with the first query. Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
In article mailman.971.1257996722.14796.bind-us...@lists.isc.org, da...@from525.com da...@from525.com wrote: I think between Stephane's test app and some snoop data I have a better idea of what is going on. It seems as if the local resolver starts by issuing ipv6 requests to the three name servers mentioned in resolv.conf. Do you mean that it's issuing requests using IPv6, or it's using IPv4 to send requests for records? The first two valid DNS servers (not configured for ipv6) each respond back stating they are not authoritative for the domain in question causing the subsequent servers to be queried. The resolver finds itself querying Which servers are you talking about now, the servers in resolv.conf, or the servers for the domain you're querying? The latter should not respond that they're not authoritative. Authority is not specific to IP versions, it just goes by names. A server is either authoritative for foo.com or it isn't, it can't be authoritative for foo.com's IPv4 data but not for its IPv6 data. the third bogus name server and has to wait for the 5 second time out. The resolver then repeats the whole process for ipv6 adding another 5 seconds to the delay (total of 10 now). The resolver then finally starts the whole process again for ipv4 and gets the proper answer with the first query. If you're not actually using IPv6, you might consider disabling it on your system. That should stop all the unnecessary v6 lookups. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users