domain-unable-resolve
Ejaz
Helo,
Time to time we are having problem in resolving some domains, one of them is “abudawood.com” we unable to resolve through our DNS servers of “ns10.cyberia.net.sa” where I have latest bind version and all, what could be the issue and what is the best way to trouble shoot.
My bind version
[root@ns10 ~]# named -v
BIND 9.11.0 <id:1477c19>
The below is trace result, it reached to their DNS server, but could not able to get query results.
[root@ns10 ~]# dig ns SAMANet.gov.sa
\
; <<>> DiG 9.11.0 <<>> ns SAMANet.gov.sa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31831
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b7510c2058b91a7d3bc824e8589c0f68772d7bfd43357c41 (good)
;; QUESTION SECTION:
;SAMANet.gov.sa. IN NS
;; ANSWER SECTION:
SAMANet.gov.sa. 3587 IN NS ns2.bluvalt.sa.
SAMANet.gov.sa. 3587 IN NS ns1.bluvalt.sa.
;; ADDITIONAL SECTION:
ns1.bluvalt.sa. 23003 IN A 46.49.128.130
ns2.bluvalt.sa. 23003 IN A 46.49.140.146
;; Query time: 5 msec
;; SERVER: 212.119.64.2#53(212.119.64.2)
;; WHEN: Thu Feb 09 09:42:48 AST 2017
;; MSG SIZE rcvd: 147
[root@ns10 ~]# dig ns sama.org.sa
; <<>> DiG 9.11.0 <<>> ns sama.org.sa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11980
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2bebca3cf5e2d6f3cad9e21b589c0f726413bf957d972607 (good)
;; QUESTION SECTION:
;sama.org.sa. IN NS
;; ANSWER SECTION:
sama.org.sa. 3600 IN NS ns1.bluvalt.sa.
sama.org.sa. 3600 IN NS ns2.bluvalt.sa.
;; ADDITIONAL SECTION:
ns1.bluvalt.sa. 22993 IN A 46.49.128.130
ns2.bluvalt.sa. 22993 IN A 46.49.140.146
;; Query time: 9 msec
;; SERVER: 212.119.64.2#53(212.119.64.2)
;; WHEN: Thu Feb 09 09:42:58 AST 2017
;; MSG SIZE rcvd: 144
[root@ns10 ~]# sama.org.sa. 3600 IN NS ns1.bluvalt.sa.
bash: sama.org.sa.: command not found...
[root@ns10 ~]# sama.org.sa. 3600 IN NS ns2.bluvalt.sa.sa ma.org.sa. 3600 IN NS ns1.bluvalt.sa.
bash: sama.org.sa.: command not found...
[root@ns10 ~]# sama.org.sa. 3600 IN NS ns2.bluvalt.sa.^C
[root@ns10 ~]# named -v
BIND 9.11.0 <id:1477c19>
[root@ns10 ~]# vi /etc/named.conf
[root@ns10 ~]# dig abudawood.com +trace
; <<>> DiG 9.11.0 <<>> abudawood.com +trace
;; global options: +cmd
. 106794 IN NS a.root-servers.net.
. 106794 IN NS c.root-servers.net.
. 106794 IN NS k.root-servers.net.
. 106794 IN NS l.root-servers.net.
. 106794 IN NS f.root-servers.net.
. 106794 IN NS b.root-servers.net.
. 106794 IN NS h.root-servers.net.
. 106794 IN NS m.root-servers.net.
. 106794 IN NS j.root-servers.net.
. 106794 IN NS d.root-servers.net.
. 106794 IN NS i.root-servers.net.
. 106794 IN NS g.root-servers.net.
. 106794 IN NS e.root-servers.net.
. 107999 IN RRSIG NS 8 0 518400 20170222050000 201 70209040000 61045 . TMv9X94Rxe6LPkPDaUB4KgOOP80SX5cNBXSawftLwIofkZWLDB1H9BUk EP8 P+7OobV6BxU/prHrNaReq4V7GY5GyOIBkvH7N6QqbrTpaYyAuWlWz gdtF9DthsLfsKSqUMqB50NGBDR V3erxuenHmX5f2VkLK/Dor3eUMdSBN wwUN4NPPst9PaORSqmTzSIirRfm7oglOvjKMtIrTu4+cOofHs XO0bi7j fXu+TT/+6SlFu2x3NXxOZStGSmeWOf6xmkIUNUShjP0HDFz0KxrxOYPj Y8agXhxchni2js4 92pY6/oFeb4txcps6tk28WdSeYljCCUTsQ39tQTBO PjrnvA==
;; Received 1125 bytes from 212.119.64.2#53(212.119.64.2) in 0 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8 268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20170222050000 2017 0209040000 61045 . eGzt3EVcYZunW/znWV1jjFpc1UeFZBJOjlAiOHBCD+C8nlKS1pRROSfb atrO ncICysdXdHedwIV+mhc/3HB6IEzjNcOjJffdX6N3dTEyf2YZmRpO IekQlr7FWRr9jdsHZmnTyKuhhkc 26Wjd3H3opDdRwn0HvVN+8ny/QAHC bB+o6piOgjnlNuXxBlLZjF40BrelYfBbPAoLQsdAVUPbvkrEd4 1s/qQk 41jJqJVJ7LzxgyjExhWPoisuFxlcyXQ5nDdPpGxO/IGF3+3RtaUMWGX9 uGuDTsNgk+JmH1nI 72CgQ2c3cVDRrr3DuqWXwMqThdVES1BpOVBHHmCW HrPR5g==
;; Received 865 bytes from 202.12.27.33#53(m.root-servers.net) in 308 ms
abudawood.com. 172800 IN NS ns1.abudawood.com.
abudawood.com. 172800 IN NS ns2.abudawood.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OS M6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20170214054 849 20170207043849 31697 com. rw5pqNm81QqDlCKMB00rpSdoEWHqen1FB/db/7LvS6qozh5wU9 ioVT1T 4NxbTyhK+H5liA9QkCMf2DFbfOqfkfv+hv2gFT3o52wCF+wL5dg+xlC8 BTlcHXfUBUF9Wy8w QV7geGT3olYyeWJ7F7UfwA5CvR/EII1zRN0VA3ov 0iE=
QH38TLUV3A97CDLH37G57O72CR6PV2TH.com. 86400 IN NSEC3 1 1 0 - QH3ADNNOO9Q6LEL6VRU 4M8PQU2I56IUP NS DS RRSIG
QH38TLUV3A97CDLH37G57O72CR6PV2TH.com. 86400 IN RRSIG NSEC3 8 2 86400 20170215054 922 20170208043922 31697 com. k6FE6tYUXXZrZHrHZK/s1npMpvp/aj5o1o00Ght0jfnndM0bFK roR7lh Fz6X0mJKHaAZw10oGT3LPDElABqywAgtbTKoa5usaOsc4g+2BhUXS+t3 E2s3CL9S1myP+DtQ DRlNMfBpD2NoR4pcPTwlnbiF9VCScLNFWvla6LcV AeQ=
;; Received 595 bytes from 192.54.112.30#53(h.gtld-servers.net) in 138 ms
;; Received 70 bytes from 212.118.102.2#53(ns1.abudawood.com) in 18 ms
Thanks,
Mohammed Ejaz
Asst. Operation Director of Systems.
Cyberia SAUDI ARABIA
P.O.Box: 301079, Riyadh 11372
Phone: (+966) 11 464 7114 Ext. 140
Mobile: (+966) 562311787
Fax: (+966) 11 465 4735
Website: http://www.cyberia.net.sa
Abdul Khader
Is your DNS server(ns10.cyberia.net.sa) able to connect NS
servers of of abudawood.com ?
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-...@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews
In message <9adb101d282a6$ac1699b0$0443cd10$@cyberia.net.sa>, "Ejaz" writes:
>
> Helo,
>
> Time to time we are having problem in resolving some domains, one of them is
> "abudawood.com" we unable to resolve through our DNS servers of
> "ns10.cyberia.net.sa" where I have latest bind version and all, what could
> be the issue and what is the best way to trouble shoot.
ns1.abudawood.com incorrectly returns FORMERR to queries which
contain a DNS COOKIE irrespective of the EDNS version field. This
behaviour in not compliant with either the initial EDNS specification
nor the revised EDNS specification.
ns2.abudawood.com appears to be a old Microsoft DNS server which
fails to respond to EDNS queries after the first one. Failure to
respond to consistently to DNS queries breaks recovery from packet
loss.
Both these servers need to be replaced with ones that are RFC compliant.
EDNS Compliance Tester
Checking: 'abudawood.com.' as at 2017-02-09T08:37:05Z
abudawood.com. @212.118.102.2 (ns1.abudawood.com.): edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed,nosoa edns1opt=formerr,badversion,echoed do=ok ednsflags=ok docookie=formerr,nosoa,echoed edns@512tcp=ok optlist=formerr,nosoa,subnet
abudawood.com. @212.118.102.3 (ns2.abudawood.com.): edns=timeout edns1=timeout edns@512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout docookie=timeout edns@512tcp=status,noopt optlist=timeout
The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.
Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this were you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.
Plain EDNS (edns)
This is the style of the initial query that BIND 9.0.x sends.
dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891
EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
EDNS - Truncated Response (edns@512)
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes
See RFC6891, 7. Transport Considerations
EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format
EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891
EDNS - DNSSEC (do)
This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends.
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225
EDNS - Unknown Flag Handling (ednsflags)
dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags
EDNS - DNSSEC with DNS COOKIE Option (docookie)
This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows onwards send.
dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225, RFC6891, and RFC7873.
EDNS - over TCP Response (edns@512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891
EDNS - Supported Options Probe (optlist)
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891
Codes
ok - test passed.
subnet - EDNS Client Subnet supported [RFC7871].
noopt - OPT record not found when expected.
nosoa - SOA record not found when expected.
echoed - EDNS option echoed back.
status - expected rcode status code not found.
formerr - rcode FORMERR returned.
badversion - expected EDNS version not found.
timeout - lookup timed out.
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/f60adf3942
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Reindl Harald
Am 09.02.2017 um 08:32 schrieb Ejaz:
> Time to time we are having problem in resolving some domains, one of
> could be the issue and what is the best way to trouble shoot.
several rules - a single point of failre combined with a SOA expire of
15 minutes - i better don't speak out what i think
https://intodns.com/abudawood.com
I could use the nameservers listed below to performe recursive queries.
It may be that I am wrong but the chances of that are low. You should
not have nameservers that allow recursive queries as this will allow
almost anyone to use your nameservers and can cause problems. Problem
record(s) are:
212.118.102.2
ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
212.118.102.3
WARNING: Not all of your nameservers are in different subnets
WARNING: Single point of failure
WARNING: Your SOA REFRESH interval is: 900. That is not so ok
Your SOA EXPIRE number is: 86400. That is NOT OK
Ejaz
Thank you all, for the detailed explanation, I understood as sys admin but our client will comparing with Google open DNS server.
No, I can’t use his DNS server. From ns10.cyberia.net.sa, connection timed out..
It is one of our VIP customer and complaining that if “I have problem in my “name servers” when we use open DNS server such as google and several others, they don’t have any issue to resolve their records. Satisfying customer is become tough.
Only they have problem to resolve the queries when they start using our DNS ns10.cyberia.net.sa
Ejaz
Abdul Khader
On your DNS server(recursing) put the following do that any query for the domain abudawood.com all the requests are forwarded to google DNS server.
zone "abudawood.com" IN {
type forward;
forward only;
forwarders {
8.8.8.8;
};
};
Regards