Domain not resolve but resolve with other ISP domain
Nayeem
I'm new to Bind and today I face one problem that one domain
plastics4arab.com not resolve with our DNS server but resolve with another
ISP DNS Server.
Presently we are using latest bind 9.2.4 DNS server on Redhat Linux Ent 4.
# nslookup
;; connection timed out; no servers could be reached
> server ns1.shaheer.net.sa
Default server: ns1.shaheer.net.sa
Address: 212.64.128.12#53
Server: ns1.shaheer.net.sa
Address: 212.64.128.12#53
Non-authoritative answer:
Name: plastics4arab.com
Address: 75.126.81.155
> exit
When I use Dig Command
# dig plastics4arab.com
; <<>> DiG 9.2.4 <<>> plastics4arab.com
;; global options: printcmd
;; connection timed out; no servers could be reached
Can any one help us to solve this issue.
Mohammed Nayeem
Andy Shellam (Mailing Lists)
2 seconds that nslookup waits, or TCP/UDP port 53 is being blocked by a
firewall between your client and DNS server.
Nayeem wrote:
> Dear All,
>
>
> I'm new to Bind and today I face one problem that one domain
> plastics4arab.com not resolve with our DNS server but resolve with another
> ISP DNS Server.
>
>
>
> Presently we are using latest bind 9.2.4 DNS server on Redhat Linux Ent 4..
>
>
>
> # nslookup
>
>
>> plastics4arab.com
>>
>
> ;; connection timed out; no servers could be reached
>
>
>> server ns1.shaheer.net.sa
>>
>
> Default server: ns1.shaheer.net.sa
>
> Address: 212.64.128.12#53
>
>
>> plastics4arab.com
>>
>
> Server: ns1.shaheer.net.sa
>
> Address: 212.64.128.12#53
>
>
>
> Non-authoritative answer:
>
> Name: plastics4arab.com
>
> Address: 75.126.81.155
>
>
>> exit
>>
>
>
>
>
>
> When I use Dig Command
>
>
>
>
>
> # dig plastics4arab.com
>
>
>
> ; <<>> DiG 9.2.4 <<>> plastics4arab.com
>
> ;; global options: printcmd
>
> ;; connection timed out; no servers could be reached
>
>
>
> Can any one help us to solve this issue.
>
> Mohammed Nayeem
>
>
>
>
>
>
>
>
>
> !DSPAM:37,4584ed6530861813177975!
>
>
>
--
Andy Shellam
NetServe Support Team
the Mail Network
"an alternative in a standardised world"
p: +44 (0) 121 288 0832/0839
m: +44 (0) 7818 000834
Nayeem
~]# ps aux | grep -i named
named 2853 0.0 1.3 166268 57656 ? Ssl Nov18 0:00
/usr/sbin/named -
u named
root 1868 0.0 0.0 3664 688 pts/1 S+ 16:07 0:00 grep -i named
How can I make sure that there is firewall Issue.
Regards,
Mohammed Nayeem
Nayeem
~]# nslookup
> yahoo.com
Server: 212.24.224.45
Address: 212.24.224.45#53
Non-authoritative answer:
Name: yahoo.com
Address: 216.109.112.135
Name: yahoo.com
Address: 66.94.234.13
> cnn.com
Server: 212.24.224.45
Address: 212.24.224.45#53
Non-authoritative answer:
Name: cnn.com
Address: 64.236.16.116
Name: cnn.com
Address: 64.236.24.12
Name: cnn.com
Address: 64.236.24.20
Name: cnn.com
Address: 64.236.24.28
Name: cnn.com
Address: 64.236.29.120
Name: cnn.com
Address: 64.236.16.20
Name: cnn.com
Address: 64.236.16.52
Name: cnn.com
Address: 64.236.16.84
Andy Shellam (Mailing Lists)
dig @dns4.ksasun.com plastics4arab.com
According to the root nameservers (I queried g.gtld-servers.net),
dns3.ksasun.com and dns4.ksasun.com are authoritative for the domain
plastics4arab.com.
Running the above 2 queries from the console of your DNS server will
show if you have connectivity problems to those 2 servers - if you do,
then that's the problem.
Andy.
Nayeem
Thanks for the reply and I tried dig command and results mention below.
[root@cd1 ~]# dig @dns3.ksasun.com plastics4arab.com
dig: couldn't get address for 'dns3.ksasun.com': failure
[root@cd1 ~]# dig @dns4.ksasun.com plastics4arab.com
dig: couldn't get address for 'dns4.ksasun.com': failure
Andy Shellam (Mailing Lists)
by the looks of things.
Check what resolvers that machine is using (in /etc/resolv.conf) and
that they're all working OK (eg. you can run a DNS query against them.)
Nayeem
Thanks for reply
You mean our machine 212.24.224.45 got problem or their (ksasun.com)
machine?
Sorry to ask that can to tell me how can I check DNS query against them ?
Actually I try to use our 3 DNS servers but we got same result when I use
other ISP DNS then how it resolved.
Thanks,
Nayeem
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Dear Sir,
I used this web site to test and got timeout when "no recursion" not check
It show answer when I check "no recursion"
So what "no recursion" will do ?
Andy Shellam (Mailing Lists)
When you query a non-recursive DNS server, it returns the answer from
it's cache (if it has it), it's zone files (for zones it is
authoritative for), or the servers you can query to get the answer.
When you query a recursive DNS server, the server runs all the queries
needed to get you (the client) the final answer, rather than leaving you
to run other queries yourself to get the answer.
So, if I queried "google.com" on a non-recursive server, it'd tell me to
query the root nameservers.
However, if I queried "google.com" on a recursive server, the server
would query the root nameservers, and any others it needed to get me the
record for google.com.
I think that your machine's resolvers (in /etc/resolv.conf) aren't
working, or you cannot reach them.
To query a specific server, use "dig @<server IP> <query>" - so to query
my machine 80.175.29.73 for google.com, I'd do "dig @80.175.29.73
google.com".
Try doing that for all the IP addresses listed in /etc/resolv.conf and
post your results.
> !DSPAM:37,4585604130869209412022!
Nayeem
You can see detail below what you reauest.
[root@cd1 ~]# cat /etc/resolv.conf
domain cd1.zajil.net
nameserver 212.24.224.45
nameserver 212.24.224.35
search localdomain
[root@cd1 ~]# dig @212.24.224.45 plastics4arab.com
; <<>> DiG 9.2.4 <<>> @212.24.224.45 plastics4arab.com
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@cd1 ~]# dig @212.24.224.35 plastics4arab.com
; <<>> DiG 9.2.4 <<>> @212.24.224.35 plastics4arab.com
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@cd1 ~]# dig @212.24.224.35 dns3.ksasun.com
; <<>> DiG 9.2.4 <<>> @212.24.224.35 dns3.ksasun.com
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@cd1 ~]# dig @212.24.224.35 google.com
; <<>> DiG 9.2.4 <<>> @212.24.224.35 google.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20416
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 90 IN A 72.14.207.99
google.com. 90 IN A 64.233.187.99
google.com. 90 IN A 64.233.167.99
;; AUTHORITY SECTION:
google.com. 34703 IN NS ns1.google.com.
google.com. 34703 IN NS ns2.google.com.
google.com. 34703 IN NS ns3.google.com.
google.com. 34703 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 87673 IN A 216.239.32.10
ns2.google.com. 87665 IN A 216.239.34.10
ns3.google.com. 87669 IN A 216.239.36.10
ns4.google.com. 87661 IN A 216.239.38.10
;; Query time: 0 msec
;; SERVER: 212.24.224.35#53(212.24.224.35)
;; WHEN: Sun Dec 17 18:45:29 2006
;; MSG SIZE rcvd: 212
Nayeem
Mark Andrews
> Any ideas because problem still with only one domain plastics4arab.com
>
>
> Regards,
> Mohammed Nayeem
I suspect you need to look at the packet level.
Run "tcpdump -n -p -s 0 host 75.126.81.155" in one window
Then in another window run
"dig +norec +dnssec plastics4arab.com @75.126.81.155"
and send the list what tcpdump produces.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org
Nayeem
Thanks for reply
Result for tcpdump command
; answer
ns5.internetters.NET. 81928 A 62.128.193.201
; glue
internetwebhosting.NET. 30878 NS ns4.internetwebhosting.net.
30878 NS ns5.internetwebhosting.net.
; answer
ns4.internetwebhosting.NET. 30874 A 64.27.65.15
; answer
ns5.internetwebhosting.NET. 30880 A 64.27.64.77
; glue
internetwebs.NET. 107324 NS ns1.internetwebs.net.
107324 NS ns2.internetwebs.net.
; answer
ns1.internetwebs.NET. 107322 A 216.242.60.66
; answer
ns2.internetwebs.NET. 107328 A 216.242.27.2
; glue
internic.NET. 17898 NS a.iana-servers.net.
17898 NS b.iana-servers.org.
17898 NS c.iana-servers.net.
17898 NS ns.icann.org.
17898 NS ns1.crsnic.net.
17898 NS ns2.nsiregistry.net.
17898 NS sec1.apnic.net.
17898 NS sec3.apnic.net.
; authanswer
rs0.internic.NET. 17897 A 198.41.0.5
; glue
internl.NET. 132441 NS auth10.dns.internl.net.
132441 NS auth20.dns.internl.net.
; answer
auth10.dns.internl.NET. 132439 A 217.149.192.4
; answer
auth20.dns.internl.NET. 132443 A 217.149.201.5
; glue
internorth.NET. 43966 NS ns1.internorth.net.
43966 NS ns2.internorth.net.
43966 NS ns3.internorth.net.
; answer
ns1.internorth.NET. 43974 A 216.108.1.1
; answer
ns2.internorth.NET. 43970 A 216.108.1.2
; glue
ns3.internorth.NET. 43966 A 216.108.8.8
; glue
interpia98.NET. 172241 NS ns.interpia98.net.
172241 NS nsos2.interpia98.net.
; authauthority
ns.interpia98.NET. 42 \-AAAA ;-$NXRRSET
; authauthority
42 \-A6 ;-$NXRRSET
; answer
172237 A 211.115.110.21
; glue
nsos2.interpia98.NET. 172241 A 211.115.110.22
; glue
interposta.NET. 126237 NS ns1.interposta.net.
126237 NS ns2.interposta.net.
; answer
ns1.interposta.NET. 126239 A 85.159.71.66
; glue
interquest.NET. 109267 NS ns1.interquest.net.
109267 NS ns2.interquest.net.
; answer
ns1.interquest.NET. 109255 A 66.135.128.68
; answer
ns2.interquest.NET. 109261 A 66.135.144.2
; authanswer
ns3.interquest.NET. 22865 A 66.135.160.2
; authanswer
ns4.interquest.NET. 22859 A 66.135.176.2
; glue
interserver.NET. 99427 NS dns.trouble-free.net.
99427 NS ops.trouble-free.net.
99427 NS dns2.trouble-free.net.
99427 NS dns4.interserver.net.
99427 NS dns5.interserver.net.
; answer
dns4.interserver.NET. 99423 A 66.45.228.78
; answer
dns5.interserver.NET. 99425 A 66.45.228.3
; glue
intertech.NET. 142396 NS boron.intertech.net.
142396 NS sulfur.intertech.net.
; answer
boron.intertech.NET. 142395 A 24.223.0.5
; answer
sulfur.intertech.NET. 142398 A 24.223.0.16
; glue
interunix.NET. 3434 NS ns1.interunix.net.
3434 NS ns2.interunix.net.
3434 NS ns3.interunix.net.
3434 NS ns4.interunix.net.
; glue
ns1.interunix.NET. 3432 A 202.190.74.35
; glue
ns2.interunix.NET. 3432 A 202.190.74.36
; glue
[root@cd1 data]# pwd
/var/named/data
[root@cd1 data]# nslookup
> yahoo.com
Server: 212.24.224.45
Address: 212.24.224.45#53
Non-authoritative answer:
Name: yahoo.com
Address: 216.109.112.135
Name: yahoo.com
Address: 66.94.234.13
> cnn.com
Server: 212.24.224.45
Address: 212.24.224.45#53
Non-authoritative answer:
Name: cnn.com
Address: 64.236.29.120
Name: cnn.com
Address: 64.236.16.20
Name: cnn.com
Address: 64.236.16.52
Name: cnn.com
Address: 64.236.16.84
Name: cnn.com
Address: 64.236.16.116
Name: cnn.com
Address: 64.236.24.12
Name: cnn.com
Address: 64.236.24.20
Name: cnn.com
Address: 64.236.24.28
> plastics4arab.com
;; connection timed out; no servers could be reached
> server 212.24.224.137
Default server: 212.24.224.137
Address: 212.24.224.137#53
> plastics4arab.com
;; connection timed out; no servers could be reached
> ^[[A
Server: 212.24.224.137
Address: 212.24.224.137#53
** server can't find \027[A: NXDOMAIN
> exit
[root@cd1 data]#
[root@cd1 data]# rndc
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
reconfig Reload configuration file and new zones only.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
halt Stop the server without saving pending updates.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
status Display status of the server.
*restart Restart the server.
* == not yet implemented
Version: 9.2.4
[root@cd1 data]# rndc status
number of zones: 8
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
[root@cd1 data]# rndc
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
reconfig Reload configuration file and new zones only.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
halt Stop the server without saving pending updates.
trace Increment debugging level by one.
[root@cd1 data]# tcpdump -n -p -s 0 host 75.126.81.155
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:32:29.756915 IP 212.24.224.45.32818 > 75.126.81.155.domain: 38987 [1au]
A? plastics4arab.com. (46)
13:32:34.757967 IP 212.24.224.45.32818 > 75.126.81.155.domain: 38987 [1au]
A? plastics4arab.com. (46)
13:33:01.160072 IP 212.24.224.45.32818 > 75.126.81.155.domain: 996 [1au] A?
plastics4arab.com. (46)
13:33:06.161149 IP 212.24.224.45.32818 > 75.126.81.155.domain: 996 [1au] A?
plastics4arab.com. (46)
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@cd1 data]#
Result mention for Dig Command
[root@cd1 ~]# dig +norec +dnssec plastics4arab.com @75.126.81.155
; <<>> DiG 9.2.4 <<>> +norec +dnssec plastics4arab.com @75.126.81.155
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@cd1 ~]# dig +norec +dnssec plastics4arab.com @75.126.81.155
; <<>> DiG 9.2.4 <<>> +norec +dnssec plastics4arab.com @75.126.81.155
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@cd1 ~]#
Mark Andrews
> [root@cd1 data]# tcpdump -n -p -s 0 host 75.126.81.155
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 13:32:29.756915 IP 212.24.224.45.32818 > 75.126.81.155.domain: 38987 [1au]
> A? plastics4arab.com. (46)
> 13:32:34.757967 IP 212.24.224.45.32818 > 75.126.81.155.domain: 38987 [1au]
> A? plastics4arab.com. (46)
> 13:33:01.160072 IP 212.24.224.45.32818 > 75.126.81.155.domain: 996 [1au] A?
> plastics4arab.com. (46)
> 13:33:06.161149 IP 212.24.224.45.32818 > 75.126.81.155.domain: 996 [1au] A?
> plastics4arab.com. (46)
>
> 4 packets captured
> 4 packets received by filter
> 0 packets dropped by kernel
> [root@cd1 data]#
You are not getting replies from their nameserver. Either you
have a routing problem or there is a firewall problem.
Mark
> Result mention for Dig Command
>
> [root@cd1 ~]# dig +norec +dnssec plastics4arab.com @75.126.81.155
>
> ; <<>> DiG 9.2.4 <<>> +norec +dnssec plastics4arab.com @75.126.81.155
> ; (1 server found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
> [root@cd1 ~]# dig +norec +dnssec plastics4arab.com @75.126.81.155
>
> ; <<>> DiG 9.2.4 <<>> +norec +dnssec plastics4arab.com @75.126.81.155
> ; (1 server found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
> [root@cd1 ~]#
>
>
> Thanks,
>
> Regards,
> Mohammed Nayeem
Nayeem
is firewall issue then other domains also should not resolve.
Mohammed Nayeem
-----Original Message-----
From: bind-use...@isc.org [mailto:bind-use...@isc.org] On Behalf
Of Mark Andrews
Sent: Monday, December 18, 2006 2:09 PM
To: Nayeem
Cc: 'Andy Shellam (Mailing Lists)'; bind-...@isc.org
Subject: Re: Domain not resolve but resolve with other ISP domain
Barry Margolin
wrote:
> Sorry Mark, that I could not understand that what routing problem and if it
> is firewall issue then other domains also should not resolve.
Why do you think that? If your firewall is only blocking packets to
75.126.81.155, then you'll only have problems resolving domains that
they host, not any other domains. The same thing if their firewall is
blocking packets from you.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Nayeem
replied nothing modification done since long time in firewall.
I tested with 3 DNS servers but get same result.
So please help us that can we find out that which IP is blocking this
request?
Please let me know if you know any good book names for Bind.
Mohammed Nayeem
-----Original Message-----
From: bind-use...@isc.org [mailto:bind-use...@isc.org] On Behalf
Of Barry Margolin
Sent: Tuesday, December 19, 2006 4:29 AM
To: comp-protoc...@isc.org
Subject: Re: Domain not resolve but resolve with other ISP domain
Stephane Bortzmeyer
Nayeem <nay...@ksa.zajil.com> wrote
> Thanks for your explanation & reply, I contact firewall person but
> he replied nothing modification done since long time in firewall.
May be it was broken for a long time?
> So please help us that can we find out that which IP is blocking
> this request?
traceroute -p 53, may be?
> Please let me know if you know any good book names for Bind.
Barry Margolin suggested it is an IP problem, not a DNS one.
Nayeem
Now what should we do to solve this issue.
Stephane Bortzmeyer
Nayeem <nay...@ksa.zajil.com> wrote
> Now what should we do to solve this issue.
First, you could do what was suggested (the traceroute, for instance,
to debug routing problems).
Second, it really seems there is a routing problem, not a DNS one. You
*must* involve the people in charge of the routing. Otherwise, you're
out of luck.
Third, your nameserver 212.24.224.45 is an open recursive
nameserver. While it was handy here, to test its configuration, it is
a security risk
(http://www.afnic.fr/actu/nouvelles/general/NN20060404_en).
Stephane Bortzmeyer
Stephane Bortzmeyer <bortz...@nic.fr> wrote
> Second, it really seems there is a routing problem, not a DNS
> one. You *must* involve the people in charge of the
> routing. Otherwise, you're out of luck.
I know that Internet in Saudi Arabia is extremely controlled so it may
be simply that the IP addresses you try to reach are blocked by a
firewall you are not aware of... A country like Tunisia has similar
problems. Debugging is hard because the ISP never tell you what they
filter and why.