Re: DNS not resolving for a particular domain only
Thanks for the suggestion Grant. Here's what I get for the recursive server's capture: ( I queried from the recursive server itself from another ssh session so it is the client as well) # tcpdump -v -v -nt -i eth0 udp port 53|grep lenovotcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? www.lenovo.com. (32) 86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? www.lenovo.com. (32) 86.36.AA.BB.36143 > 193.108.91.79.domain: [bad udp cksum c63c!] 12966 [1au] A? www.lenovo.com. ar: . OPT UDPsize=4096 OK (43) 193.108.91.79.domain > 86.36.AA.BB.36143: [udp sum ok] 12966*- q: A? www.lenovo.com. 1/0/1 www.lenovo.com. CNAME cs47.can.lnvcdn.net. ar: . OPT UDPsize=4096 OK (76) 86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? www.lenovo.com. (32) 86.36.AA.BB.10224 > 86.36.DD.EE.domain: [bad udp cksum 18c7!] 12721 [1au] A? www.lenovo.com.ourdomain.com. ar: . OPT UDPsize=4096 OK (57) 86.36.DD.EE.domain > 86.36.AA.BB.10224: [udp sum ok] 12721 NXDomain*- q: A? www.lenovo.com.ourdomain.com. 0/1/1 ns: ourdomain.com. SOA master.ourdomain.com. host-master.ourparentdomain.com. 138524105 900 450 360 60 ar: . OPT UDPsize=4096 OK (138) 86.36.AA.CC.domain > 86.36.AA.BB.45776: [udp sum ok] 34468 ServFail q: A? www.lenovo.com. 0/0/0 (32) 86.36.AA.BB = localhost (our recursive server) where I ran the query and capture 86.36.AA.CC = our secondary recursive server (no idea why that was contacted) 86.36.DD.EE = our one of two anycast addresses which point to the recursive servers So it looks like we do get to the CNAME (4th line) but still it fails...?I also tried a capture from a regular linux client but the output was similar except that it didn't include the CNAME line. Frankly I have no idea if this is giving any useful info. I did see that for other queries also I saw bad udp cksum messages so not sure if thats an actual problem. Do you see anything specific that might help us diagnose further? Thanks From: Grant Taylor via bind-usersTo: bind-users@lists.isc.org Sent: Friday, August 11, 2017 7:06 PM Subject: Re: DNS not resolving for a particular domain only On 08/11/2017 06:49 AM, U Zee via bind-users wrote: > Any ideas please??? I'm seeing different A records returned depending on where I query from. As such I can only speculate that something related to DNS for a CDN is not working as desired. I'd suggest a packet capture of the client's DNS traffic and possibly (if not likely) the client's recursive DNS server's traffic (related to the query.) -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: need to look up short names
On 08/11/2017 02:40 PM, ToddAndMargo wrote: On 08/10/2017 07:07 PM, Grant Taylor via bind-users wrote: On 08/10/2017 06:21 PM, toddandmargo wrote: Fedora 26 Fedora = Linux (vs Windows vs other) I am stumped. I need to be able to look up short names on my local network. ... What am I missing? domain and / or search configuration in /etc/resolv.conf man resolv.conf Follow up: I had goofed my /etc/resolv.conf. The hostname was suppose to be ".local" not ".com". mumble, mumble -T Setting the host and domain name has gotten a little "interesting" in Fedora as of late. # hostnamectl set-hostname FedoraServer..local –static And it updates resolv.conf too ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: need to look up short names
On 08/10/2017 07:07 PM, Grant Taylor via bind-users wrote: On 08/10/2017 06:21 PM, toddandmargo wrote: Fedora 26 Fedora = Linux (vs Windows vs other) I am stumped. I need to be able to look up short names on my local network. ... What am I missing? domain and / or search configuration in /etc/resolv.conf man resolv.conf Follow up: I had goofed my /etc/resolv.conf. The hostname was suppose to be ".local" not ".com". mumble, mumble -T ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Confused about SELinux error
Hi All, What does this SELinux error mean when I start bin-chroot? # semanage fcontext -a -t FILE_TYPE 'session.key' where FILE_TYPE is one of the following: dnssec_trigger_var_run_t, ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t, named_log_t, named_tmp_t, named_var_run_t. # semanage fcontext -a -t named_var_run_t 'session.key' # restorecon -v 'session.key' How am I suppose to know what "FILE_TYPE" they are talking about? -T ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: need to look up short names
On 08/10/2017 10:18 PM, /dev/rob0 wrote: Note that this still work for dig(1) and host(1) as per the OP's examples. But things like ping(1) and browsers will work with a search domain. Do you mean to say that the search / domain entry in /etc/resolv.conf do /not/ work for dig / host? (Or am I mis-reading your email?) Do you know if there is a way to get nslookup* / dig / host to work with the search domain? It was my (mis)understanding that search / domain works for things that use the system resolver libraries, which (I believe) nslookup* / dig / host bypass and make (unqualified) DNS queries directly. Please correct me if I'm wrong. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: command line ID vs Wireshark transaction ID (dns.id)
> What nameserver addresses are listed in /etc/resolv.conf? So. resolv.conf has the non-RFC1918 ip addresses commented out *and* loopback is the only one enabled. Lovely. I decided to leave it as is and retested with: # tcpdump -n -i lo0 -s0 port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes 08:50:55.837412 IP 127.0.0.1.17709 > 127.0.0.1.53: 59248+ A? www.airnav.com. (32) 08:50:56.019525 IP 127.0.0.1.53 > 127.0.0.1.17709: 59248 1/3/6 A 206.125.168.131 (247) Wireshark hex transaction id converts to decimal for a successful match. Thanks for the help Mark! John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot, runs, works, dies
Am 11.08.2017 um 15:57 schrieb Petr Mensik: Hi Todd. I think much better than Ask Fedora would be filling a bug in bugzilla.redhat.com. I would see it straight away. I am Fedora bind maintainer. If there is bug preventing correct start of named-chroot, I would like to fix it. You would see SElinux errors in command "ausearch -i -ts recent -m avc -m user_avc -m selinux_err" if that errors were SElinux related. I think your config file is missing pid-file "/run/named/named.pid"; It has to match pid file used by your named-chroot.service. If systemd does not find the pid file of forking service, it will cancel the service. PIDFile in named-chroot service includes chroot path, but configuration file has to point to path inside chroot only. It should work with default configuration even when pid-file directive is commented out. There is symlink from /var/run to /run also in /var/named/chroot and why in the world does the unit contain that pid-file stuff at all? i maintain 25 production servers running on Fedora for nearly a decade and removed all that pid-file-stuff excatly becuse it causes only troubles long before most package maintainers provided systemd-units while as we deloyed F15 we overrided every single service with a unit in /etc/systemd/system after 6 years running systemd nobody was able to show me a single service which needs a pid-file these days because the whole concept is broken by design when we have a system manager which can track services and processes proper the pid-file stuff in systemd is last ressort for heavily broken software ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-chroot, runs, works, dies
Hi Todd. I think much better than Ask Fedora would be filling a bug in bugzilla.redhat.com. I would see it straight away. I am Fedora bind maintainer. If there is bug preventing correct start of named-chroot, I would like to fix it. You would see SElinux errors in command "ausearch -i -ts recent -m avc -m user_avc -m selinux_err" if that errors were SElinux related. I think your config file is missing pid-file "/run/named/named.pid"; It has to match pid file used by your named-chroot.service. If systemd does not find the pid file of forking service, it will cancel the service. PIDFile in named-chroot service includes chroot path, but configuration file has to point to path inside chroot only. It should work with default configuration even when pid-file directive is commented out. There is symlink from /var/run to /run also in /var/named/chroot. Can you check rights and selinux context of chroot run directories? These are on my Fedora 26. $ ls -ldZ /var/named/chroot/{,var/}run{,/named} drwxr-x---. 3 root named system_u:object_r:named_conf_t:s04096 Aug 11 13:01 /var/named/chroot/run drwxr-xr-x. 2 named named system_u:object_r:named_var_run_t:s0 4096 Jun 30 18:45 /var/named/chroot/run/named lrwxrwxrwx. 1 named named system_u:object_r:named_conf_t:s0 6 Jun 30 18:45 /var/named/chroot/var/run -> ../run drwxr-xr-x. 2 named named system_u:object_r:named_var_run_t:s0 4096 Jun 30 18:45 /var/named/chroot/var/run/named Is it possible you do not have the /var/run symlink there? It would not find pid file and cancel the service then. Did you upgrade to Fedora 26 from previous version? I would be grateful If you could fill a bug. You may not be the only one affected and I would like to fix it for everyone. I would test whether Type=service proposed by Reindl can be used in new Fedora release. I like it. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 - Original Message - From: "toddandmargo"To: bind-users@lists.isc.org Sent: Thursday, August 10, 2017 12:14:00 AM Subject: bind-chroot, runs, works, dies Hi All, Help! Fedora 26 x64 Xfce 4.12 # rpm -qa \bind\* bind-libs-lite-9.11.1-2.P2.fc26.x86_64 bind99-libs-9.9.10-1.P2.fc26.x86_64 bind-chroot-9.11.1-2.P2.fc26.x86_64 bind-license-9.11.1-2.P2.fc26.noarch bind-9.11.1-2.P2.fc26.x86_64 bind-libs-9.11.1-2.P2.fc26.x86_64 bind99-license-9.9.10-1.P2.fc26.noarch bind-utils-9.11.1-2.P2.fc26.x86_64 I have a weird one. I am trying to set up bind-chroot. When I run it, it works for about 30 seconds, then dies. And for the entire 30 seconds, it works beautifully. I can go anywhere with Firefox and look up anything with "host". Then it breaks my heart. # systemctl start named-chroot Job for named-chroot.service canceled. This is my error logs: Aug 8 15:58:49 FedoraServer named[10120]: all zones loaded Aug 8 15:58:49 FedoraServer named[10120]: running Aug 8 15:58:49 FedoraServer named[10120]: zone 255.168.192.in-addr.arpa/IN: sending notifies (serial 57) Aug 8 15:58:49 FedoraServer named[10120]: zone alpine.local/IN: sending notifies (serial 60) Aug 8 15:58:49 FedoraServer systemd: named-chroot.service: PID file /var/named/chroot/run/named/named.pid not readable (yet?) after start: No such file or directory Aug 8 16:00:19 FedoraServer systemd: named-chroot.service: Start operation timed out. Terminating. Aug 8 16:00:19 FedoraServer named[10120]: shutting down Aug 8 16:00:19 FedoraServer named[10120]: stopping command channel on 127.0.0.1#953 Aug 8 16:00:19 FedoraServer named[10120]: stopping command channel on ::1#953 Aug 8 16:00:19 FedoraServer named[10120]: no longer listening on ::#53 Aug 8 16:00:19 FedoraServer named[10120]: no longer listening on 127.0.0.1#53 Aug 8 16:00:19 FedoraServer named[10120]: no longer listening on 50.124.80.106#53 Aug 8 16:00:19 FedoraServer named[10120]: exiting Aug 8 16:00:19 FedoraServer systemd: Stopped Berkeley Internet Name Domain (DNS). Aug 8 16:00:19 FedoraServer systemd: named-chroot.service: Unit entered failed state. Aug 8 16:00:19 FedoraServer systemd: named-chroot.service: Failed with result 'timeout'. Aug 8 16:00:19 FedoraServer systemd: Stopping Set-up/destroy chroot environment for named (DNS)... Aug 8 16:00:19 FedoraServer audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-chroot comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Aug 8 16:00:20 FedoraServer systemd: Stopped Set-up/destroy chroot environment for named (DNS). Aug 8 16:00:20 FedoraServer audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-chroot-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' I find the PID file /var/named/chroot/run/named/named.pid not readable (yet?)
DNS not resolving for a particular domain only
Hi All, We are experiencing a weird issue for the past week or two. We run bind9 on RHEL/CentOS and one of our international offices that has their own auth and caching servers cannot resolve lenovo.com for some odd reason. If that office clients use google DNS it works but using their own DNS caching servers, it cant resolve. Commands dig and nslookup give a timeout. Although dig with trace is able to get to the final answer. Nothing in the logs indicate an issue. Also, this is the only address that cant resolve, everything else works fine. We've contacted the ISP to make sure nothing is being blocked or anything, and thats all clear. The network team has confirmed they haven't done anything on the edge devices or any firewall rule modifications which can cause it. Any ideas please???___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: command line ID vs Wireshark transaction ID (dns.id)
strange : by me it looks like ... : 43350 = 0xa956 >/usr/bin/dig www.google.ch ; <<>> DiG 9.10.3-P4-Debian <<>> www.google.ch ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43350 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >tshark -V -f 'port 53' ... Domain Name System (response) [Request In: 1] [Time: 0.001247378 seconds] Transaction ID: 0xa956 Flags: 0x8180 Standard query response, No error 1... = Response: Me . -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews Sent: vendredi, 11 août 2017 02:26 To: John W. BlueCc: bind-users@lists.isc.org Subject: Re: command line ID vs Wireshark transaction ID (dns.id) In message , "John W. Blue" wr ites: > I have been trying to correlate the ID value returned via a command > line query here: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796 > > to a "transaction ID" found in wireshark when it dissects the packet > found here: > > Transaction ID: 0x1aa6 > > without any success because 0x1aa6 does not hex > dec convert to 60796. > > > I am clearly missing something here because wireshark can tie the > query and response together into a stream. > > Thoughts? Apply Occam's razor. The packet in wireshark is not the packet DiG displayed. > John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users