Re: DNS not resolving for a particular domain only

[U Zee via bind-users]

Thanks for the suggestion Grant.
Here's what I get for the recursive server's capture: ( I queried from the 
recursive server itself from another ssh session so it is the client as well)

# tcpdump -v -v -nt -i eth0 udp port 53|grep lenovotcpdump: listening on eth0, 
link-type EN10MB (Ethernet), capture size 65535 bytes    86.36.AA.BB.45776 > 
86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? www.lenovo.com. (32)    
86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 8a1b!] 34468+ A? 
www.lenovo.com. (32)    86.36.AA.BB.36143 > 193.108.91.79.domain: [bad udp 
cksum c63c!] 12966 [1au] A? www.lenovo.com. ar: . OPT UDPsize=4096 OK (43)    
193.108.91.79.domain > 86.36.AA.BB.36143: [udp sum ok] 12966*- q: A? 
www.lenovo.com. 1/0/1 www.lenovo.com. CNAME cs47.can.lnvcdn.net. ar: . OPT 
UDPsize=4096 OK (76)    86.36.AA.BB.45776 > 86.36.AA.CC.domain: [bad udp cksum 
8a1b!] 34468+ A? www.lenovo.com. (32)    86.36.AA.BB.10224 > 
86.36.DD.EE.domain: [bad udp cksum 18c7!] 12721 [1au] A? 
www.lenovo.com.ourdomain.com. ar: . OPT UDPsize=4096 OK (57)    
86.36.DD.EE.domain > 86.36.AA.BB.10224: [udp sum ok] 12721 NXDomain*- q: A? 
www.lenovo.com.ourdomain.com. 0/1/1 ns: ourdomain.com. SOA 
master.ourdomain.com. host-master.ourparentdomain.com. 138524105 900 450 
360 60 ar: . OPT UDPsize=4096 OK (138)    86.36.AA.CC.domain > 
86.36.AA.BB.45776: [udp sum ok] 34468 ServFail q: A? www.lenovo.com. 0/0/0 (32)

86.36.AA.BB = localhost (our recursive server) where I ran the query and capture
86.36.AA.CC = our secondary recursive server (no idea why that was contacted)
86.36.DD.EE = our one of two anycast addresses which point to the recursive 
servers


So it looks like we do get to the CNAME (4th line) but still it fails...?I also 
tried a capture from a regular linux client but the output was similar except 
that it didn't include the CNAME line.

Frankly I have no idea if this is giving any useful info. I did see that for 
other queries also I saw bad udp cksum messages so not sure if thats an actual 
problem.
Do you see anything specific that might help us diagnose further?
Thanks
  From: Grant Taylor via bind-users 
 To: bind-users@lists.isc.org 
 Sent: Friday, August 11, 2017 7:06 PM
 Subject: Re: DNS not resolving for a particular domain only
   
On 08/11/2017 06:49 AM, U Zee via bind-users wrote:
> Any ideas please???

I'm seeing different A records returned depending on where I query from.

As such I can only speculate that something related to DNS for a CDN is 
not working as desired.

I'd suggest a packet capture of the client's DNS traffic and possibly 
(if not likely) the client's recursive DNS server's traffic (related to 
the query.)



-- 
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

   ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: need to look up short names

[ToddAndMargo]

On 08/11/2017 02:40 PM, ToddAndMargo wrote:

On 08/10/2017 07:07 PM, Grant Taylor via bind-users wrote:

On 08/10/2017 06:21 PM, toddandmargo wrote:

Fedora 26


Fedora = Linux (vs Windows vs other)


I am stumped.   I need to be able to look up short names on my local
network.

...

What am I missing?


domain and / or search configuration in /etc/resolv.conf

man resolv.conf




Follow up:

I had goofed my /etc/resolv.conf.  The hostname was
suppose to be ".local" not ".com".

mumble, mumble

-T


Setting the host and domain name has gotten a little
"interesting" in Fedora as of late.

# hostnamectl set-hostname FedoraServer..local –static

And it updates resolv.conf too

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: need to look up short names

[ToddAndMargo]

On 08/10/2017 07:07 PM, Grant Taylor via bind-users wrote:

On 08/10/2017 06:21 PM, toddandmargo wrote:

Fedora 26


Fedora = Linux (vs Windows vs other)


I am stumped.   I need to be able to look up short names on my local
network.

...

What am I missing?


domain and / or search configuration in /etc/resolv.conf

man resolv.conf




Follow up:

I had goofed my /etc/resolv.conf.  The hostname was
suppose to be ".local" not ".com".

mumble, mumble

-T


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Confused about SELinux error

[ToddAndMargo]

Hi All,

What does this SELinux error mean when I start bin-chroot?

 # semanage fcontext -a -t FILE_TYPE 'session.key'

 where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
 ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
 named_log_t, named_tmp_t, named_var_run_t.

# semanage fcontext -a -t named_var_run_t 'session.key'
# restorecon -v 'session.key'


How am I suppose to know what "FILE_TYPE" they are talking about?

-T


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: need to look up short names

[Grant Taylor via bind-users]

On 08/10/2017 10:18 PM, /dev/rob0 wrote:

Note that this still work for dig(1) and host(1) as per the OP's
examples.  But things like ping(1) and browsers will work with a
search domain.


Do you mean to say that the search / domain entry in /etc/resolv.conf do 
/not/ work for dig / host?  (Or am I mis-reading your email?)


Do you know if there is a way to get nslookup* / dig / host to work with 
the search domain?


It was my (mis)understanding that search / domain works for things that 
use the system resolver libraries, which (I believe) nslookup* / dig / 
host bypass and make (unqualified) DNS queries directly.


Please correct me if I'm wrong.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: command line ID vs Wireshark transaction ID (dns.id)

[John W. Blue]

> What nameserver addresses are listed in /etc/resolv.conf?

So. 

resolv.conf has the non-RFC1918 ip addresses commented out *and* loopback is 
the only one enabled.

Lovely.  

I decided to leave it as is and retested with:

# tcpdump -n -i lo0 -s0 port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
08:50:55.837412 IP 127.0.0.1.17709 > 127.0.0.1.53: 59248+ A? www.airnav.com. 
(32)
08:50:56.019525 IP 127.0.0.1.53 > 127.0.0.1.17709: 59248 1/3/6 A 
206.125.168.131 (247)

Wireshark hex transaction id converts to decimal for a successful match.

Thanks for the help Mark!

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-chroot, runs, works, dies

[Reindl Harald]

Am 11.08.2017 um 15:57 schrieb Petr Mensik:

Hi Todd.

I think much better than Ask Fedora would be filling a bug in 
bugzilla.redhat.com. I would see it straight away.
I am Fedora bind maintainer. If there is bug preventing correct start of 
named-chroot, I would like to fix it.

You would see SElinux errors in command "ausearch -i -ts recent -m avc -m user_avc 
-m selinux_err" if that errors were SElinux related.

I think your config file is missing pid-file "/run/named/named.pid"; It has to 
match pid file used by your named-chroot.service. If systemd does not find the pid file 
of forking service, it will cancel the service.
PIDFile in named-chroot service includes chroot path, but configuration file 
has to point to path inside chroot only.
It should work with default configuration even when pid-file directive is 
commented out. There is symlink from /var/run to /run also in /var/named/chroot


and why in the world does the unit contain that pid-file stuff at all?

i maintain 25 production servers running on Fedora for nearly a decade 
and removed all that pid-file-stuff excatly becuse it causes only 
troubles long before most package maintainers provided systemd-units 
while as we deloyed F15 we overrided every single service with a unit in 
/etc/systemd/system


after 6 years running systemd nobody was able to show me a single 
service which needs a pid-file these days because the whole concept is 
broken by design when we have a system manager which can track services 
and processes proper


the pid-file stuff in systemd is last ressort for heavily broken software
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-chroot, runs, works, dies

[Petr Mensik]

Hi Todd.

I think much better than Ask Fedora would be filling a bug in 
bugzilla.redhat.com. I would see it straight away.
I am Fedora bind maintainer. If there is bug preventing correct start of 
named-chroot, I would like to fix it.

You would see SElinux errors in command "ausearch -i -ts recent -m avc -m 
user_avc -m selinux_err" if that errors were SElinux related.

I think your config file is missing pid-file "/run/named/named.pid"; It has to 
match pid file used by your named-chroot.service. If systemd does not find the 
pid file of forking service, it will cancel the service.
PIDFile in named-chroot service includes chroot path, but configuration file 
has to point to path inside chroot only.
It should work with default configuration even when pid-file directive is 
commented out. There is symlink from /var/run to /run also in /var/named/chroot.

Can you check rights and selinux context of chroot run directories?

These are on my Fedora 26.

$ ls -ldZ /var/named/chroot/{,var/}run{,/named}
drwxr-x---. 3 root  named system_u:object_r:named_conf_t:s04096 Aug 11 
13:01 /var/named/chroot/run
drwxr-xr-x. 2 named named system_u:object_r:named_var_run_t:s0 4096 Jun 30 
18:45 /var/named/chroot/run/named
lrwxrwxrwx. 1 named named system_u:object_r:named_conf_t:s0   6 Jun 30 
18:45 /var/named/chroot/var/run -> ../run
drwxr-xr-x. 2 named named system_u:object_r:named_var_run_t:s0 4096 Jun 30 
18:45 /var/named/chroot/var/run/named

Is it possible you do not have the /var/run symlink there? It would not find 
pid file and cancel the service then.
Did you upgrade to Fedora 26 from previous version?

I would be grateful If you could fill a bug. You may not be the only one 
affected and I would like to fix it for everyone.

I would test whether Type=service proposed by Reindl can be used in new Fedora 
release. I like it.

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973

- Original Message -
From: "toddandmargo" 
To: bind-users@lists.isc.org
Sent: Thursday, August 10, 2017 12:14:00 AM
Subject: bind-chroot, runs, works, dies


Hi All, 

Help! 

Fedora 26 x64 
Xfce 4.12 

# rpm -qa \bind\* 
bind-libs-lite-9.11.1-2.P2.fc26.x86_64 
bind99-libs-9.9.10-1.P2.fc26.x86_64 
bind-chroot-9.11.1-2.P2.fc26.x86_64 
bind-license-9.11.1-2.P2.fc26.noarch 
bind-9.11.1-2.P2.fc26.x86_64 
bind-libs-9.11.1-2.P2.fc26.x86_64 
bind99-license-9.9.10-1.P2.fc26.noarch 
bind-utils-9.11.1-2.P2.fc26.x86_64 


I have a weird one. I am trying to set up bind-chroot. When I run it, it works 

for about 30 seconds, then dies. And for the entire 30 seconds, it works 

beautifully. I can go anywhere with Firefox and look up anything with "host". 
Then it breaks my heart. 
# systemctl start named-chroot Job for named-chroot.service canceled. 


This is my error logs: 
Aug  8 15:58:49 FedoraServer named[10120]: all zones loaded Aug  8 15:58:49 
FedoraServer named[10120]: running Aug  8 15:58:49 FedoraServer named[10120]: 
zone 255.168.192.in-addr.arpa/IN: sending notifies (serial 57) Aug  8 15:58:49 
FedoraServer named[10120]: zone alpine.local/IN: sending notifies (serial 60) 
Aug  8 15:58:49 FedoraServer systemd: named-chroot.service: PID file 
/var/named/chroot/run/named/named.pid not readable (yet?) after start: No such 
file or directory  Aug  8 16:00:19 FedoraServer systemd: named-chroot.service: 
Start operation timed out. Terminating. Aug  8 16:00:19 FedoraServer 
named[10120]: shutting down Aug  8 16:00:19 FedoraServer named[10120]: stopping 
command channel on 127.0.0.1#953 Aug  8 16:00:19 FedoraServer named[10120]: 
stopping command channel on ::1#953 Aug  8 16:00:19 FedoraServer named[10120]: 
no longer listening on ::#53 Aug  8 16:00:19 FedoraServer named[10120]: no 
longer listening on 127.0.0.1#53 Aug  8 16:00:19 FedoraServer named[10120]: no 
longer listening on 50.124.80.106#53 Aug  8 16:00:19 FedoraServer named[10120]: 
exiting Aug  8 16:00:19 FedoraServer systemd: Stopped Berkeley Internet Name 
Domain (DNS). Aug  8 16:00:19 FedoraServer systemd: named-chroot.service: Unit 
entered failed state. Aug  8 16:00:19 FedoraServer systemd: 
named-chroot.service: Failed with result 'timeout'. Aug  8 16:00:19 
FedoraServer systemd: Stopping Set-up/destroy chroot environment for named 
(DNS)... Aug  8 16:00:19 FedoraServer audit: SERVICE_START pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='unit=named-chroot comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? 
addr=? terminal=? res=failed' Aug  8 16:00:20 FedoraServer systemd: Stopped 
Set-up/destroy chroot environment for named (DNS). Aug  8 16:00:20 FedoraServer 
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 
subj=system_u:system_r:init_t:s0 msg='unit=named-chroot-setup comm="systemd" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' 


I find the 
PID file /var/named/chroot/run/named/named.pid not readable (yet?) 

DNS not resolving for a particular domain only

[U Zee via bind-users]

Hi All,
We are experiencing a weird issue for the past week or two. 
We run bind9 on RHEL/CentOS and one of our international offices that has their 
own auth and caching servers cannot resolve lenovo.com for some odd reason. If 
that office clients use google DNS it works but using their own DNS caching 
servers, it cant resolve. Commands dig and nslookup give a timeout. Although 
dig with trace is able to get to the final answer. Nothing in the logs indicate 
an issue. Also, this is the only address that cant resolve, everything else 
works fine.
We've contacted the ISP to make sure nothing is being blocked or anything, and 
thats all clear. The network team has confirmed they haven't done anything on 
the edge devices or any firewall rule modifications which can cause it. 
Any ideas please???___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: command line ID vs Wireshark transaction ID (dns.id)

[Philippe.Simonet]

strange :  by me it looks like ... : 43350 = 0xa956


>/usr/bin/dig www.google.ch
; <<>> DiG 9.10.3-P4-Debian <<>> www.google.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43350
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

>tshark -V -f  'port 53'
...
Domain Name System (response)
[Request In: 1]
[Time: 0.001247378 seconds]
Transaction ID: 0xa956
Flags: 0x8180 Standard query response, No error
1...    = Response: Me
.



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Andrews
Sent: vendredi, 11 août 2017 02:26
To: John W. Blue 
Cc: bind-users@lists.isc.org 
Subject: Re: command line ID vs Wireshark transaction ID (dns.id)


In message , "John W. Blue" wr
ites:
> I have been trying to correlate the ID value returned via a command 
> line query here:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60796
>
> to a "transaction ID" found in wireshark when it dissects the packet 
> found here:
>
> Transaction ID: 0x1aa6
>
> without any success because 0x1aa6 does not hex > dec convert to 60796.
>
>
> I am clearly missing something here because wireshark can tie the 
> query and response together into a stream.
>
> Thoughts?

Apply Occam's razor.

The packet in wireshark is not the packet DiG displayed.

> John

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users