Re: Bind9 Random Whois and Dig Fails
On Fri, Jun 03, 2011 at 03:09:13PM -0700, Sri Harsha Yalamanchili har...@thought-matrix.com wrote a message of 145 lines which said: o query-source address X.X.X.X port 53; That's typically a very bad idea because it makes the source port predictable and therefore makes you much more vulnerable to the Kaminsky vulnerability. forwarders { 66.7.224.17; //Telepacific's DNS server }; Did you try this forwarder with, for instance, dig? Does it really work? * The whois lookup works as long as we're telepacific's dns server. I don't really understand the sentence but, anyway, remember that whois and DNS are two different and unrelated protocols. I suggest to debug them separately. We can clearly see that the queries are going out from the query log. BIND logs the outgoing queries? I didn't know. Anyway, I suggest using tcpdump to see what is really going in and out. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 Random Whois and Dig Fails
The query-source address is nat'ed address inside the firewall. We opted for that to make our firewall less porous but may be we should re-visit that strategy. The forwarder actually works. That was the primary/only DNS server we were using until we decided to install our own internal dns and delegate non-internal DNSqueries to that particular forwarder - 66.7.224.17. Yes we will try to debug Whois and DNS separately. But were just curious about the strange behavior that seems to be connected to us changing the DNS servers. As for logging bind queries, here's a line in our named.conf.log that does the logging: category queries { query_log; }; Not much luck using tcpdump either. We know, from both the query_log and tcpdump logging, that the queries are going out. But we never get a reply back. That's the confusing part. The Google DNS server replies back but not our own ISP's DNS. It times out multiple times before replying once if at all. Thank you, -- Harsha On 6/7/11 7:57 AM, Stephane Bortzmeyer wrote: On Fri, Jun 03, 2011 at 03:09:13PM -0700, Sri Harsha Yalamanchilihar...@thought-matrix.com wrote a message of 145 lines which said: o query-source address X.X.X.X port 53; That's typically a very bad idea because it makes the source port predictable and therefore makes you much more vulnerable to the Kaminsky vulnerability. forwarders { 66.7.224.17; //Telepacific's DNS server }; Did you try this forwarder with, for instance, dig? Does it really work? * The whois lookup works as long as we're telepacific's dns server. I don't really understand the sentence but, anyway, remember that whois and DNS are two different and unrelated protocols. I suggest to debug them separately. We can clearly see that the queries are going out from the query log. BIND logs the outgoing queries? I didn't know. Anyway, I suggest using tcpdump to see what is really going in and out. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 Random Whois and Dig Fails
On Jun 7, 2011, at 11:07 AM, Sri Harsha Yalamanchili wrote: Not much luck using tcpdump either. We know, from both the query_log and tcpdump logging, that the queries are going out. But we never get a reply back. That's the confusing part. The Google DNS server replies back but not our own ISP's DNS. It times out multiple times before replying once if at all. It sounds like this Telepacific nameserver at IP 66.7.224.17 is broken. The simple solution is to not use any forwarders entry, or to pick another one which works. Regards, -- -Chuck ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 Random Whois and Dig Fails
Hey Everyone, We've setup and internal DNS on a Debian 6.0 Squeeze server with Bind 9 running on it. A few things specific to our configuration are: * This is not a caching only server. We've have our own internal domain. We also have a dns slave running on another server. The internal domain looks something like this: xxx.existingdomain.com - The subdomain xxx does not actually exist, we've just made it up for our bind config. * We made sure Bind listens on a specific address and port by using the following: o query-source address X.X.X.X port 53; o listen-on { X.X.X.X; }; o listen-on-v6 { none; }; * This is what our Forwarders Section in named.conf.options looks like: forwarders { 66.7.224.17; //Telepacific's DNS server }; The problem we're running into is: * Whenever we do something like dig @X.X.X.X www.somedomain.com the request times out for a while before working. Once we get an answers, we're thinking that the answer gets cached, the same lookup if performed again comes back with an instant answer. We've recreated this multiple times using different domain names. * The whois lookup works as long as we're telepacific's dns server. * To troubleshoot we added the google dns server, 8.8.8.8, as one of the forwarders and voila! all the answers to dig lookups were instantaneous. But now the whois lookups would not work at all. We've rules out the firewall by dropping all the rules and still receiving the same behavior. We can clearly see that the queries are going out from the query log. Any other logging options that can be enabled to troubleshoot this issue? Any help is much appreciated. We've been spending hours trying to solve the mystery. Thank you, -- *Harsha* | har...@thought-matrix.com Systems Administrator | ThoughtMatrix, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users