[dns-operations] Odd Results/Activity

Peter Andreev andreev.peter at gmail.com
Tue Sep 30 08:38:27 UTC 2014


May be you have problems not with the servers ns[5-8].gi.net, but with
ns[12].gi.net, which are authoritative for gi.net zone.


2014-09-30 2:18 GMT+04:00 Jon Eckerle <Jon.Eckerle at cio.idaho.gov>:
>    Sorry if this seems longish but, I'd rather give you all I can think of that might help than to leave you wondering what I'm talking about.
>
>    We are having a problem getting DNS recursive resolutions for seecurestate.com domain names, specifically mystate.securestate.com.
>
>    I should mention here that, at present, this is the only domain we are having issues with.
>
>    When we issue a DNS query from any of our four BIND 9.9.4-P2 recursive servers, which are inside of our network, for the mystate.securestate.com domain, we consistently get a SERVFAIL response.
>
>    When we issue a DNS query specifically for the SOA Name servers' A records, we get a SERVFAIL response.
>
>    In trying to figure out what might be going on, I found through outside resolvers the names (four) and IP Addresses (four each for 16 total) of the SOA servers for the securestate.com domain.
>
>    When we issue a DNS query specifically against an IP Address of one of the SOA servers for securestate.com, for its own name, we get a NOERROR response with no data.
>
>    When we use other DNS resolvers, outside of our network, they seem to be resolving just fine.
>
>    I've included the various flavors of dig queries and the meat of our named.conf file.
>
>    Since our customers, or one of them, see a SERVEFAIL it, of course, just has to be our DNS servers' fault so, any ideas or hints will be greatly appreciated.
>
>    When I try a basic dig, I get:
>
> dig mystate.securestate.com
>
> ; <<>> DiG 9.9.4-P2 <<>> mystate.securestate.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39627
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;securestate.com.               IN      A
>
> ;; Query time: 2993 msec
> ;; SERVER: 164.165.147.231#53(164.165.147.231)
> ;; WHEN: Mon Sep 29 15:59:14 MDT 2014
> ;; MSG SIZE  rcvd: 44
>
>    If I try a dig +trace, I get:
>
> dig +trace mystate.securestate.com
>
> ; <<>> DiG 9.9.4-P2 <<>> +trace mystate.securestate.com
> ;; global options: +cmd
> .                       83701   IN      NS      e.root-servers.net.
> .                       83701   IN      NS      f.root-servers.net.
> .                       83701   IN      NS      i.root-servers.net.
> .                       83701   IN      NS      m.root-servers.net.
> .                       83701   IN      NS      d.root-servers.net.
> .                       83701   IN      NS      h.root-servers.net.
> .                       83701   IN      NS      b.root-servers.net.
> .                       83701   IN      NS      j.root-servers.net.
> .                       83701   IN      NS      k.root-servers.net.
> .                       83701   IN      NS      c.root-servers.net.
> .                       83701   IN      NS      l.root-servers.net.
> .                       83701   IN      NS      a.root-servers.net.
> .                       83701   IN      NS      g.root-servers.net.
> .                       84848   IN      RRSIG   NS 8 0 518400 20141006170000 20140929160000 8230 . hJNK+x67Ai+uAd34igab0odq4vISCMZEwDbopatCxN2/AzKDdkYsCYoE hfQv8/yYaMR15v0WSYXQomGF66bA6dXe2lzCKEALmkkgy0TTp4xkbTC7 QarlfKJhVwg4TlowxQ5o94ZwYi+6uWXoOM0r6CfdhEFCm8WgZrLd65F1 oTo=
> ;; Received 913 bytes from 164.165.147.231#53(164.165.147.231) in 589 ms
>
> com.                    172800  IN      NS      a.gtld-servers.net.
> com.                    172800  IN      NS      b.gtld-servers.net.
> com.                    172800  IN      NS      c.gtld-servers.net.
> com.                    172800  IN      NS      d.gtld-servers.net.
> com.                    172800  IN      NS      e.gtld-servers.net.
> com.                    172800  IN      NS      f.gtld-servers.net.
> com.                    172800  IN      NS      g.gtld-servers.net.
> com.                    172800  IN      NS      h.gtld-servers.net.
> com.                    172800  IN      NS      i.gtld-servers.net.
> com.                    172800  IN      NS      j.gtld-servers.net.
> com.                    172800  IN      NS      k.gtld-servers.net.
> com.                    172800  IN      NS      l.gtld-servers.net.
> com.                    172800  IN      NS      m.gtld-servers.net.
> com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com.                    86400   IN      RRSIG   DS 8 1 86400 20141006170000 20140929160000 8230 . OuUj3aWJQOMDLAO5i33XuhfZNJvjqjbIa6L7Q8rzlXNag153/G0Z6MI3 /1QubWOH9iJVjZLEJhoB7LI5kPEHLo2Hde5iYPCuDGbFbYI7pXSqwTfT VPgquQGpkgRDeFFM0JHt/qud5fUz5PNsv4QA57vJAJU/n9U72to5dtMm tjM=
> ;; Received 747 bytes from 199.7.83.42#53(l.root-servers.net) in 1176 ms
>
> securestate.com.        172800  IN      NS      ns5.gi.net.
> securestate.com.        172800  IN      NS      ns6.gi.net.
> securestate.com.        172800  IN      NS      ns7.gi.net.
> securestate.com.        172800  IN      NS      ns8.gi.net.
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20141004044954 20140927033954 6122 com. zVV+Rlagl8V4U36B36XISeL4D652mt25miImUk4gmRotumeuX4EENG99 AEcNhKuP6SSzRa2Zx3uTgHMGlugSISDd4gwQEPb8tckKjQhzuEFucek2 IklgGEs4zKXW5BzVLNo+RZ/ARuuXm/G4PEHWxTm1sAf4HrWTbtMZ3o53 rj4=
> PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN NSEC3 1 1 0 - PFPAGH2299I07EHT4G9EC1S03HUET784 NS DS RRSIG
> PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN RRSIG NSEC3 8 2 86400 20141006043024 20140929032024 6122 com. X62NE0ptCBOBwvbGLO517nIqLthVeQrpEZRcHebfRbfyrx4Bwrx7NoPx 2zRVDgtSAN6hTVWHyX+qgFKqGl7w59fL7nhFL718i8sMkaKpPxgyN+60 eLwC0lzMXoPv9od7Odl3/z91d9VwLpFhCTDK7PurOIcfLI0qv9vr03vE 2yQ=
> dig: couldn't get address for 'ns5.gi.net': no more
>
>    If I try a query specifically against the IP Address advertised as SOA for this domain (ns5.gi.net - 50.23.136.173), I get a resolution:
>
> dig @50.23.136.173 mystate.securestate.com
>
> ; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 mystate.securestate.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19186
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;mystate.securestate.com.       IN      A
>
> ;; ANSWER SECTION:
> mystate.securestate.com. 14400  IN      A       98.103.44.125
>
> ;; Query time: 27 msec
> ;; SERVER: 50.23.136.173#53(50.23.136.173)
> ;; WHEN: Mon Sep 29 16:05:31 MDT 2014
> ;; MSG SIZE  rcvd: 57
>
>    However, if I try a dig against any IP Address for the host record of the server associated with that specific IP Address (50.23.136.173 - ns5.gi.net) I get:
>
> dig @50.23.136.173 ns5.gi.net
>
> ; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 ns5.gi.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25692
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ns5.gi.net.                    IN      A
>
> ;; Query time: 20 msec
> ;; SERVER: 50.23.136.173#53(50.23.136.173)
> ;; WHEN: Mon Sep 29 16:09:28 MDT 2014
> ;; MSG SIZE  rcvd: 28
>
>    Here is my named.conf file:
>
> acl "state-network" {
>     164.165.0.0/16; 192.102.16.0/24; 192.207.45.0/24;
>     };
>
> acl "labor-network" {
>     204.144.104.0/24;
>     };
>
> acl "access-idaho" {
>     206.81.140.0/25; 63.226.87.146/29;
>     };
>
> acl "internal-nat" {
>     10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
>     };
>
> options {
>         directory       "/conf";
>         pid-file        "/var/run/named.pid";
>         statistics-file "/var/run/named.stats";
>         dump-file       "/var/run/named.db";
>         version         "[secured]";
>         hostname        "[secured]";
>         dnssec-enable yes;
>         dnssec-validation auto;
>         recursion yes;
>         allow-update { none; };
>         allow-notify { 164.165.207.44; };
>         allow-query { state-network; labor-network; internal-nat; };
>         allow-query-cache { state-network; labor-network; internal-nat; };
>         transfer-format many-answers;
>         max-transfer-time-in 60;
>         max-cache-ttl 86400;
>         max-ncache-ttl 600;
>         max-cache-size 50M;
> };
>
> zone "." {
>         type   hint;
>         file   "db.rootcache";
> };
>
> zone    "localhost" {
>         type    master;
>         file   "db.localhost";
>         notify  no;
> };
>
> zone    "0.0.127.in-addr.arpa" {
>         type   master;
>         file   "db.127.0.0";
>         notify no;
> };
>
>
> Jon Eckerle - Hostmaster
> Idaho Office of the Chief Information Officer
> 650 West State Street
> Boise, Idaho 83720
>
> Certified DNS Associate
> Certified DNSSEC Expert
> hostmaster at idaho.gov
> jon.eckerle at cio.idaho.gov
> (208) 332-1803
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.




More information about the dns-operations mailing list