dig with status: REFUSED

[aabo...@fiu.edu]

What would cause a query to come back with a refused status? I can query the zone on some nameservers with no issues, but on others i not able to. The domain i'm working with is bernuth.com Could this simply be the changes have not propagated to all nameservers or I have an issue on my zone configuration?

Alain

[Joseph Begumisa]

bernuth.com is delegated to the nameservers below

;; ANSWER SECTION:
bernuth.com. 2D IN NS ns.fbsims.com.
bernuth.com. 2D IN NS ns1.fbsims.com.

ns.fbsims.com. is authoritative for bernuth.com and so all queries sent to
it concerning bernuth.com will be answered with the data it has concerning
that domain.

ns1.fbsims.com is not authoritative for bernuth.com. there is a problem
with the domain records for ns1.fbsims.com. the nameserver for
fbsims.com. which is ns.fbsims.com does not answer authoritatively for
ns1.fbsims.com as you can see below that "aa" is not listed among the
flags although it returns the address and nameserver records of which the
nameserver (68.216.33.5.fbsims.com.) doesn't exist:

dig +norec @ns.fbsims.com. ns1.fbsims.com. a

; <<>> DiG 8.3 <<>> +norec @ns.fbsims.com. ns1.fbsims.com. a
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65151
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; ns1.fbsims.com, type = A, class = IN

;; ANSWER SECTION:
ns1.fbsims.com. 18h21m51s IN A 68.216.33.5

;; AUTHORITY SECTION:
ns1.fbsims.com. 165w2d9h46m39s IN NS 68.216.33.5.fbsims.com.

this means that ns1.fbsims.com. cannot be found by anyone who tries to
query it for domain data concerning bernuth.com and therefore all queries
sent to it will fail resulting in you only being able to have successful
lookups when the queries are sent to ns.fbsims.com.

look at the zone file for fbsims.com. on ns.fbsims.com to rectify the
issues with ns1.fbsims.com.

Joseph

[David Botham]

bind-use...@isc.org wrote on 11/19/2003 08:36:05 AM:
> What would cause a query to come back with a refused status? I can query
the
> zone on some nameservers with no issues, but on others i not able to.
The
> domain i'm working with is bernuth.com Could this simply be the changes
have
> not propagated to all nameservers or I have an issue on my zone
configuration?

My guess would be that you sent a recursive query to a name server that
does not permit you to perform recursive queries. A printout of your dig
output would go a long way in providing more definate answers.

Dave...

>
> Alain
>
>

[Edvard Tuinder]

According to aabo...@fiu.edu:

> What would cause a query to come back with a refused status?
> I can query the zone on some nameservers with no issues, but
> on others i not able to. The domain i'm working with is
> bernuth.com Could this simply be the changes have not propagated
> to all nameservers or I have an issue on my zone configuration?

No, not all nameservers allow you to use them as recursive nameservers.
The REFUSED return code may be due to that.

If you want to verify the setup of your domain, check on www.dnsreport.com.
That site will perform various sanity checks on your domain.

But to answer your question partially, the setup of your domain is not
correct. According to the gtld-servers the nameservers are ns.fbsims.com
and ns1.fbsims.com. The first (ns.fbsims) is setup correct, but the second
is not answering correctly, but returning SERV-FAIL, which usually indicates
that it is not able to transfer the zone from the primary.

Furthermore the NS list as returned by ns.fbsims.com is not correct, as it
only lists itself as nameserver and not also ns1.

Your TTL's are also very high. That is not very usefull. Usually something
like 1 day or maybe 1 week is more than enough.

-Ed

[aabo...@fiu.edu]

Here is the output from dig

dig @165.87.194.244 bernuth.com

; <<>> DiG 9.2.1 <<>> @165.87.194.244 bernuth.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55046
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bernuth.com. IN A

;; Query time: 60 msec
;; SERVER: 165.87.194.244#53(165.87.194.244)
;; WHEN: Wed Nov 19 16:18:22 2003
;; MSG SIZE rcvd: 29

I figured a good starting point would be to fix the errors that are reported by www.dnsreport.com.

FAIL Missing nameservers 2 ERROR:

One or more of the nameservers listed at the parent
servers are not listed as NS records at your
nameservers. The problem NS records are:
ns.fbsims.com.

Would this mean that i am missing an NS record on both servers or just ns.fbsims.com? I'm not understanding the meaning of this error since now an NS record exists on both servers.

Thanks!

Alain

[Mark_A...@isc.org]

The first thing to correct is the fbsims.com zone. Once that
has been done you can look at the other zones hosted on
ns.fbsims.com and ns1.fbsims.com.

Mark

; <<>> DiG 9.2.3 <<>> axfr fbsims.com @208.153.106.5
;; global options: printcmd
fbsims.com. 86400 IN SOA ns.fbsims.com. root.ns.fbsims.com. 2003111905 3600 300 1209600 86400

You really should have multiple nameservers for this zone.
When you have a second server configured add a NS record referring
to it and update your delegation information with the registrar.

fbsims.com. 86400 IN NS ns.fbsims.com.
ns.fbsims.com. 86400 IN A 208.153.106.5
fbsims.com. 86400 IN A 208.153.106.2
fbsims.com. 86400 IN MX 0 mail.fbsims.com.
rsfbs.fbsims.com. 86400 IN A 208.153.106.2
flov.fbsims.com. 86400 IN A 208.153.106.78
vip.fbsims.com. 86400 IN A 208.153.106.55
wwid4.fbsims.com. 86400 IN A 208.153.106.102
net3.fbsims.com. 86400 IN A 208.153.106.159
fbs.fbsims.com. 86400 IN A 208.153.106.3
net4.fbsims.com. 86400 IN A 208.153.106.152
net5.fbsims.com. 86400 IN A 208.153.106.151
h50.fbsims.com. 86400 IN A 208.153.106.254
h50.fbsims.com. 86400 IN MX 0 mail.h50.fbsims.com.
mail.h50.fbsims.com. 86400 IN A 208.153.106.254
www.h50.fbsims.com. 86400 IN CNAME h50.fbsims.com.
sheri.fbsims.com. 86400 IN A 208.153.106.129
net6.fbsims.com. 86400 IN A 208.153.106.251

The comment character in zone files is ";" not "#".

#ns.fbsims.com. 86400 IN NS fbsims.fbsims.com.
mail.fbsims.com. 86400 IN A 208.153.106.2
vip1.fbsims.com. 86400 IN A 208.153.106.155
int2.fbsims.com. 86400 IN A 208.153.106.54
www.fbsims.com. 86400 IN CNAME fbsims.com.
nt-work.fbsims.com. 86400 IN A 208.153.106.198
int3.fbsims.com. 86400 IN A 208.153.106.53
wwid1.fbsims.com. 86400 IN A 208.153.106.99
miag.fbsims.com. 86400 IN A 208.153.106.243
fbsnt.fbsims.com. 86400 IN MX 0 fbsnt.fbsims.com.
fbsnt.fbsims.com. 86400 IN A 208.153.106.72
fbsl.fbsims.com. 86400 IN A 208.153.106.244
fbs1000.fbsims.com. 86400 IN A 208.153.106.215
241.fbsims.com. 86400 IN A 208.153.106.241
wwid2.fbsims.com. 86400 IN A 208.153.106.100
mias1.fbsims.com. 86400 IN A 208.153.106.71

This should be a A record not a NS record.

ns1.fbsims.com. 86400 IN NS 68.216.33.5.fbsims.com.

Nobody uses MB records. If you are attempting to add MX records
for every existing name is the zone wildcard record will NOT
do what you want. Wildcard records only match NAMES that DO NOT
EXIST.

*.fbsims.com. 86400 IN MB mail.fbsims.com.
*.fbsims.com. 86400 IN MB mail.h50.fbsims.com.
wwid3.fbsims.com. 86400 IN A 208.153.106.101

DELETE THIS RECORD. You already have a A record for ns.fbsims.com.

ns.fbsims.com. 86400 IN NS 208.153.106.5.fbsims.com.
net2.fbsims.com. 86400 IN A 208.153.106.149
fbsims.com. 86400 IN SOA ns.fbsims.com. root.ns.fbsims.com. 2003111905 3600 300 1209600 86400
;; Query time: 623 msec
;; SERVER: 208.153.106.5#53(208.153.106.5)
;; WHEN: Thu Nov 20 10:58:04 2003
;; XFR size: 42 records

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org

[Roger Ward]

If you add ns1.fbsims.com. as a NS record for your domain (ON ns.fbsims.com -
in addition to the NS record there that mentions ns.fbsims.com.), you may see
all your problems clear up.

Another suggestion was to reduce your TTL - so when you make changes (and
increment your serial) your high TTL will not prevent updates from
propogating elsewhere on the Internet.

-Roger

On Wednesday 19 November 2003 03:29 pm, aabo...@fiu.edu wrote:
> > From: Edvard Tuinder <list...@lunytune.nl>
> > Date: 2003/11/19 Wed AM 11:05:12 EST
> > To: aabo...@fiu.edu
> > CC: bind-...@isc.org
> > Subject: Re: dig with status: REFUSED
> >
> > According to aabo...@fiu.edu:
> > > What would cause a query to come back with a refused status?
> > > I can query the zone on some nameservers with no issues, but
> > > on others i not able to. The domain i'm working with is
> > > bernuth.com Could this simply be the changes have not propagated
> > > to all nameservers or I have an issue on my zone configuration?
> >
> > No, not all nameservers allow you to use them as recursive nameservers.
> > The REFUSED return code may be due to that.
> >
> > If you want to verify the setup of your domain, check on
> > www.dnsreport.com. That site will perform various sanity checks on your
> > domain.
> >
> > But to answer your question partially, the setup of your domain is not
> > correct. According to the gtld-servers the nameservers are ns.fbsims.com
> > and ns1.fbsims.com. The first (ns.fbsims) is setup correct, but the
> > second is not answering correctly, but returning SERV-FAIL, which usually

> > indicates that it is not able to transfer the zone from the primary.

> ns.fbsims.com? I'm not understanding the meaning of this error since now an
> NS record exists on both servers.
>
>
> Thanks!
>
> Alain

[Len Conrad]

>My guess would be that you sent a recursive query to a name server that
>does not permit you to perform recursive queries.

afaics, the policies act like this:

"recursion denied" returns an rcode of 0 in a response with a referral

"query denied" returns an rcode of REFUSED

"blackhole" returns no response

Len

_____________________________________________________________________
http://MenAndMice.com/DNS-training: Atlanta; Orlando; San Jose
IMGate.MEIway.com: anti-spam gateway, effective on 1000's of sites, free