DNS server works but keep getting "host unreachable resolving" error
Shi Jin
I've setup a DNS server running bind9 in my LAN and set it up to ISP provided DNS servers as the forwarders. Currently this DNS server works in the sense both internal and external names are resolved without any problem. However, for each DNS query, the syslog shows entries of
dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN': 216.171.238.66#53
Where the IP 216.171.238.66 is the ISP provided DNS server.
My named.conf.options looks like
forwarders {
216.171.238.66;
216.171.238.67;
};
listen-on-v6 { none; };
When I run dig, I get
/etc/bind# dig
; <<>> DiG 9.5.1-P2 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48733
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 435420 IN NS K.ROOT-SERVERS.NET.
. 435420 IN NS A.ROOT-SERVERS.NET.
. 435420 IN NS H.ROOT-SERVERS.NET.
. 435420 IN NS M.ROOT-SERVERS.NET.
. 435420 IN NS E.ROOT-SERVERS.NET.
. 435420 IN NS J.ROOT-SERVERS.NET.
. 435420 IN NS D.ROOT-SERVERS.NET.
. 435420 IN NS L.ROOT-SERVERS.NET.
. 435420 IN NS G.ROOT-SERVERS.NET.
. 435420 IN NS F.ROOT-SERVERS.NET.
. 435420 IN NS B.ROOT-SERVERS.NET.
. 435420 IN NS C.ROOT-SERVERS.NET.
. 435420 IN NS I.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 521820 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 521820 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 297362 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 297362 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 297362 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 297362 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 347113 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 521820 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 297362 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 297362 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 297362 IN AAAA 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 297362 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 330463 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 330463 IN AAAA 2001:503:c27::2:30
;; Query time: 0 msec
;; SERVER: 192.168.1.127#53(192.168.1.127)
;; WHEN: Mon Sep 21 14:11:54 2009
;; MSG SIZE rcvd: 500
The IP 192.168.1.127 is the IP address of the LAN DNS server I've setup.
The has NAT firewall enabled so it is able to access to the ISP provided DNS server directly. However, it looks to me like the ISP provided DNS server (216.171.238.66) was not able to resolve any of the names and all the resolving is done at the top level servers. Is my understanding correct?
More importantly, is this the correct behavior I should expect and how to I solve the "host unreachable resolving" problem?
I appreciate you help. Thank you very much.
--
Shi Jin, PhD
Michael Monnerie
> However, it looks to me like the ISP provided DNS server
> (216.171.238.66) was not able to resolve any of the names and all the
> resolving is done at the top level servers. Is my understanding
> correct?
Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you got a wrong IP
there? Try the same for .67, the other DNS.
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660 / 415 65 31 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4
Shi Jin
> dig @216.171.238.66 hp.com
> to see if the .66 host answers to your queries. Maybe you
> got a wrong IP
> there? Try the same for .67, the other DNS.
>
Thank you very much. I tried what you suggested and it seems that these two servers work perfectly. In fact, I can simply set my DNS to these two servers and have the internet names resolved without any problem. The only reason I run my own DNS server is to resolve the intranet names.
~$ dig @216.171.238.66 hp.com
; <<>> DiG 9.5.1-P2 <<>> @216.171.238.66 hp.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47923
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 6, ADDITIONAL: 6
;; QUESTION SECTION:
;hp.com. IN A
;; ANSWER SECTION:
hp.com. 574 IN A 15.216.110.140
hp.com. 574 IN A 15.192.45.21
hp.com. 574 IN A 15.192.45.22
hp.com. 574 IN A 15.192.45.138
hp.com. 574 IN A 15.192.45.139
hp.com. 574 IN A 15.216.110.21
hp.com. 574 IN A 15.200.2.21
hp.com. 574 IN A 15.200.30.21
hp.com. 574 IN A 15.200.30.22
hp.com. 574 IN A 15.200.30.23
hp.com. 574 IN A 15.200.30.24
hp.com. 574 IN A 15.216.110.22
hp.com. 574 IN A 15.216.110.139
;; AUTHORITY SECTION:
hp.com. 86374 IN NS ns6.hp.com.
hp.com. 86374 IN NS ns3.hp.com.
hp.com. 86374 IN NS ns4.hp.com.
hp.com. 86374 IN NS ns1.hp.com.
hp.com. 86374 IN NS ns5.hp.com.
hp.com. 86374 IN NS ns2.hp.com.
;; ADDITIONAL SECTION:
ns6.hp.com. 43600 IN A 15.195.208.12
ns1.hp.com. 43600 IN A 15.219.145.12
ns2.hp.com. 43600 IN A 15.219.160.12
ns3.hp.com. 43600 IN A 15.203.209.12
ns4.hp.com. 43600 IN A 15.203.224.14
ns5.hp.com. 43600 IN A 15.195.192.37
;; Query time: 2 msec
;; SERVER: 216.171.238.66#53(216.171.238.66)
;; WHEN: Mon Sep 21 14:59:25 2009
;; MSG SIZE rcvd: 436
Can you see any problem there?
Thanks a lot.
Shi
--
Doug Barton
> Hi there,
>
> I've setup a DNS server running bind9 in my LAN and set it up to ISP provided DNS servers as the forwarders. Currently this DNS server works in the sense both internal and external names are resolved without any problem. However, for each DNS query, the syslog shows entries of
>
> dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN': 216.171.238.66#53
> Where the IP 216.171.238.66 is the ISP provided DNS server.
"host unreachable" is one of the clearer error messages, so you need
to do some digging. From the box that you've set up bind9 on you'll
need to use dig to query the ISP's name servers. If that works, then
you'll have to use tcpdump on that box to find out what named is doing.
You might also consider posting your entire named.conf file, and let
us know of any command line arguments you're using to start it with.
Also name and version number of your OS and exact version of named
wouldn't hurt.
Good luck,
Doug
Shi Jin
> "host unreachable" is one of the clearer error messages, so
> you need
> to do some digging. From the box that you've set up bind9
> on you'll
> need to use dig to query the ISP's name servers. If that
> works, then
> you'll have to use tcpdump on that box to find out what
> named is doing.
>
>
Thank you very much.
Your suggestion to use "tcpdump" actually is very helpful. It clearly shows:
ICMP host 216.171.238.67 unreachable - admin prohibited, length 87
So I think this most likely has to do with the firewall setup. Probably I should enable ICMP redirect? Could anyone confirm? And is this safe?
Thank you very much.
Shi
Mark Andrews
In message <865284....@web36203.mail.mud.yahoo.com>, Shi Jin writes:
>
> > "host unreachable" is one of the clearer error messages, so
> > you need
> > to do some digging. From the box that you've set up bind9
> > on you'll
> > need to use dig to query the ISP's name servers. If that
> > works, then
> > you'll have to use tcpdump on that box to find out what
> > named is doing.
> >
> > Doug
> >
> Thank you very much.
> Your suggestion to use "tcpdump" actually is very helpful. It clearly shows:
> ICMP host 216.171.238.67 unreachable - admin prohibited, length 87
Yet you claim that dig to 216.171.238.67 works. I think you need to provide
a full trace not the summary that a plain tcpdump gives.
Add -Xvvv to the set of flags you used with tcpdump.
> So I think this most likely has to do with the firewall setup. Probably I should enable ICMP redirect? Could anyone confirm? And
> is this safe?
>
> Thank you very much.
> Shi
>
>
>
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Kevin Darcy
then remove the forwarders entries and that should take care of the
errors in your log.
2) If you *must* use forwarders, look at the part of the config that you
didn't show us, and determine whether there is something there (e.g.
query-source address and/or port, "server" stanza with an inappropriate
TSIG key or EDNS buffer size, etc.) that is causing your packets
destined for 216.171.238.66 to be dropped or rejected, by the target
server or some intermediate device in between.
- Kevin
Shi Jin
I've confirmed that the problem is firewall related. I've replaced my current Untangle firewall with a simplest Linux NAT iptables firewall and everything works perfectly, without any complains.
Thank you very much for your kind help/suggestions.
Shi
Matus UHLAR - fantomas
> I've confirmed that the problem is firewall related. I've replaced my
> current Untangle firewall with a simplest Linux NAT iptables firewall and
> everything works perfectly, without any complains.
I'd say it was bad configuration, not necessarily a bad firewall. The
tcpdump would help us, unless you are satisfied with using linux iptables...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Barry Margolin
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 21.09.09 19:26, Shi Jin wrote:
> > I've confirmed that the problem is firewall related. I've replaced my
> > current Untangle firewall with a simplest Linux NAT iptables firewall and
> > everything works perfectly, without any complains.
>
> I'd say it was bad configuration, not necessarily a bad firewall. The
> tcpdump would help us, unless you are satisfied with using linux iptables...
Anyone want to bet that he has {query-source * port 53;} in his
named.conf, and this is what the firewall was blocking?
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***