Re: Bind9 Random Whois and Dig Fails
On Fri, Jun 03, 2011 at 03:09:13PM -0700,
Sri Harsha Yalamanchili har...@thought-matrix.com wrote
a message of 145 lines which said:
o query-source address X.X.X.X port 53;
That's typically a very bad idea because it makes the source port
predictable and therefore makes you much more vulnerable to the
Kaminsky vulnerability.
forwarders {
66.7.224.17; //Telepacific's DNS server
};
Did you try this forwarder with, for instance, dig? Does it really
work?
* The whois lookup works as long as we're telepacific's dns
server.
I don't really understand the sentence but, anyway, remember that
whois and DNS are two different and unrelated protocols. I suggest to
debug them separately.
We can clearly see that the queries are going out from the query
log.
BIND logs the outgoing queries? I didn't know. Anyway, I suggest using
tcpdump to see what is really going in and out.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 Random Whois and Dig Fails
The query-source address is nat'ed address inside the firewall. We opted
for that to make our firewall less porous but may be we should re-visit
that strategy.
The forwarder actually works. That was the primary/only DNS server we
were using until we decided to install our own internal dns and delegate
non-internal DNSqueries to that particular forwarder - 66.7.224.17.
Yes we will try to debug Whois and DNS separately. But were just curious
about the strange behavior that seems to be connected to us changing the
DNS servers.
As for logging bind queries, here's a line in our named.conf.log that
does the logging:
category queries { query_log; };
Not much luck using tcpdump either. We know, from both the query_log and
tcpdump logging, that the queries are going out. But we never get a
reply back. That's the confusing part. The Google DNS server replies
back but not our own ISP's DNS. It times out multiple times before
replying once if at all.
Thank you,
--
Harsha
On 6/7/11 7:57 AM, Stephane Bortzmeyer wrote:
On Fri, Jun 03, 2011 at 03:09:13PM -0700,
Sri Harsha Yalamanchilihar...@thought-matrix.com wrote
a message of 145 lines which said:
o query-source address X.X.X.X port 53;
That's typically a very bad idea because it makes the source port
predictable and therefore makes you much more vulnerable to the
Kaminsky vulnerability.
forwarders {
66.7.224.17; //Telepacific's DNS server
};
Did you try this forwarder with, for instance, dig? Does it really
work?
* The whois lookup works as long as we're telepacific's dns
server.
I don't really understand the sentence but, anyway, remember that
whois and DNS are two different and unrelated protocols. I suggest to
debug them separately.
We can clearly see that the queries are going out from the query
log.
BIND logs the outgoing queries? I didn't know. Anyway, I suggest using
tcpdump to see what is really going in and out.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 Random Whois and Dig Fails
On Jun 7, 2011, at 11:07 AM, Sri Harsha Yalamanchili wrote: Not much luck using tcpdump either. We know, from both the query_log and tcpdump logging, that the queries are going out. But we never get a reply back. That's the confusing part. The Google DNS server replies back but not our own ISP's DNS. It times out multiple times before replying once if at all. It sounds like this Telepacific nameserver at IP 66.7.224.17 is broken. The simple solution is to not use any forwarders entry, or to pick another one which works. Regards, -- -Chuck ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 Random Whois and Dig Fails
Hey Everyone,
We've setup and internal DNS on a Debian 6.0 Squeeze server with Bind 9
running on it.
A few things specific to our configuration are:
* This is not a caching only server. We've have our own internal
domain. We also have a dns slave running on another server. The
internal domain looks something like this: xxx.existingdomain.com
- The subdomain xxx does not actually exist, we've just made it up
for our bind config.
* We made sure Bind listens on a specific address and port by using
the following:
o query-source address X.X.X.X port 53;
o listen-on { X.X.X.X; };
o listen-on-v6 { none; };
* This is what our Forwarders Section in named.conf.options looks like:
forwarders {
66.7.224.17; //Telepacific's DNS server
};
The problem we're running into is:
* Whenever we do something like dig @X.X.X.X www.somedomain.com the
request times out for a while before working. Once we get an
answers, we're thinking that the answer gets cached, the same
lookup if performed again comes back with an instant answer. We've
recreated this multiple times using different domain names.
* The whois lookup works as long as we're telepacific's dns server.
* To troubleshoot we added the google dns server, 8.8.8.8, as one of
the forwarders and voila! all the answers to dig lookups were
instantaneous. But now the whois lookups would not work at all.
We've rules out the firewall by dropping all the rules and still
receiving the same behavior. We can clearly see that the queries are
going out from the query log. Any other logging options that can be
enabled to troubleshoot this issue?
Any help is much appreciated. We've been spending hours trying to solve
the mystery.
Thank you,
--
*Harsha* | har...@thought-matrix.com
Systems Administrator | ThoughtMatrix, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
