Server failed Errors from the Outside
Mark_A...@iengines.com
You cannot use IP addresses in the DNS where names are
exected. Replace the NS RRset and restore the TTL.
netcommunity.com. IN NS NS3.FNSI.NET.
netcommunity.com. IN NS NS1.KREBER.com.
netcommunity.com. IN NS NS2.FNSI.NET.
netcommunity.com. IN NS NS1.FNSI.NET.
The reason it "works" with TTL zero is that the NS RRset is
expiring after every query and the next query has to go back
to the COM servers.
Mark
>
> I am having a problem resolving host names on our network from the
> outside. By this I mean when you use a name server other than our own
> primary name server to resolve names in our domain. I call these
> "indirect" queries because the outside name server has to ask a root
> name server for our name server's address and then contact our name
> server. Technically this is a recursive lookup, but "indirect" makes
> much more sense to me because "recursive" is too vague to convey any
> useful information.
>
> I am using bind 4.9.3 P1 on Solaris 2.5.1. I have applied the current
> patch, 103663-15, from Sun. I have installed bind 8.2.2 P5 and it has
> the same problem. I have been over the config files many times and can
> find no errors in them.
>
> All host names resolve correctly as long as you are on a machine in our
> domain, netcommunity.com, resolving names using our primary name
> server. The problem only occurs when you use a name server other than
> our primary.
>
> Sometimes a particular subset of our host names will resolve from the
> outside and the rest will not resolve. They return a "Server failed"
> error with nslookup. After some unknown period of time, the subset
> changes. Other hosts will resolve and others won't.
>
> I have set up an additional name server (Red Hat Linux 6.0, bind 8.2,
> hereafter called "test") on our network so that I can test "indirect"
> queries to our primary name server, because this is the only time the
> error occurs.
>
> I have figured out that if I specify a TTL value of 0 in the SOA record
> for the domain in the primary name server, restart the test name server,
> and run indirect queries through the test name server, the problem does
> not occur. So, I think it has something to do with the cache.
>
> With a normal TTL value (after a restart), the test name server will
> indirectly resolve the first host name I ask it to resolve. It is a
> caching only name server and is supposed to ask our primary name server
> (through a root name server) for all host names on netcommunity.com.
> Every host name query after the first results in a "Server falied"
> error. Running snoop on the primary name server, I can see that the
> test name server never contacts the primary name server for all lookups
> following the first one. It does contact the primary for the first
> lookup. It always contacts a root name server.
>
> I've found the debug output of named to be impossible to read, but I
> have seen ncache messages indicating that negative responses are being
> cached.
>
> I've attached the db file for netcommunity.com.
>
> You can test this situation by doing this:
>
> nslookup www.netcommunity.com ns1.kreber.com
> nslookup pokey.netcommunity.com ns1.kreber.com
>
> which will work every time. ns1.kreber.com is our primary name server.
> Then try this:
>
> nslookup www.netcommunity.com ns.redhat.com
> nslookup pokey.netcommunity.com ns.redhat.com
> nslookup jhad.netcommunity.com ns.redhat.com
>
> One of those at any given time will not work, even though they are valid
> names. You can substitue gumby.netcommunity.com or your name server for
> ns.redhat.com. gumby has the name server I set up to run tests.
>
> I really have no clue why this is happening. I'm hoping you can help.
> If you need any additional information, let me know and I'll provide
> it. Thanks.
>
> --
> Bill Chatfield - Vice President of Technology - NetCommunity
> bill.ch...@netcommunity.com
> 670 Harmon Avenue, Columbus, Ohio 43223
> Phone: (614) 228-9977, FAX: (614) 228-2115
>
>
>
> -- Attached file included as plaintext by Listar --
> -- File: db.netcommunity.com
>
> ; ---------------------------------------------------------------------------
> ; This table was created by Bill Haase Internet Media Properties on Jan 27, 1
> 998
> ; Emergency Contact is Bill Haase, Pager (614) 731-9033 Mobile (614) 207-4257
> ; ---------------------------------------------------------------------------
>
> $ORIGIN netcommunity.com.
>
> @ IN SOA ns1.kreber.com. billc.netcommunity.com. (
> 1999112701 ; serial
> 86400 ; refresh
> 21600 ; retry
> 604800 ; expire
> 0 ) ; TTL minimum
> ; TTL minimum use to be 86400
>
> IN NS 198.212.27.4.
> IN NS 206.183.224.8.
> IN NS 206.183.224.7.
> IN NS 206.183.226.10.
> ; ------------------------------------------------------------------------
> ;
> netcommunity.com. IN MX 10 pokey.netcommunity.com.
> jhad IN A 198.212.27.132
> bodasheck IN A 198.212.27.143
> burnbaby IN A 198.212.27.160
> sales IN A 198.212.27.185
> ns1 IN A 198.212.27.192
> simba IN A 198.212.27.194
> zuul IN A 198.212.27.195
> winnt2 IN A 198.212.27.197
> winnt3 IN A 198.212.27.198
> pokey IN A 198.212.27.199
> gumby IN A 198.212.27.200
> winnt1 IN A 198.212.27.238
> hal IN A 198.212.27.242
> yaldwan IN A 198.212.27.243
> www IN A 198.212.27.254
> ftp IN CNAME pokey.netcommunity.com.
> pulsar IN CNAME ns1.netcommunity.com.
> mail IN CNAME pokey.netcommunity.com.
> dev IN CNAME gumby.netcommunity.com.
> ; ------------------------------------------------------------------------
> ; Test sites currently on gumby.
> ; ------------------------------------------------------------------------
> test.grangeinsurance IN A 198.212.27.200
> test.gtgi IN A 198.212.27.200
> test.netcommunity IN A 198.212.27.200
> test.securitydocuments IN A 198.212.27.200
> test.trimsystems IN A 198.212.27.200
> test.flashpilot IN A 198.212.27.200
>
>
>
>
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@iengines.com