On 2/12/07, David Miller wrote:
>
> On Feb 12, 2007, at 2:01 PM, Stephen John Smoogen wrote:
>
> > On 2/12/07, David Miller wrote:
> >> For some reason our servers(BIND 9.3.2) will not resolve one domain.
> >> Well, it is the only one that has not worked. My users tell me it was
> >> working last week. The domain is mcmaster.com. This is what I get
> >> when I lookup the domain using my master name server within my
> >> network
> >> ( recursion is turned off).
> >>
> >> nslookup mcmaster.com 192.5.166.12
> >> ;; connection timed out; no servers could be reached
> >>

> >
> > I am missing something if recursion is turned off.. how is it going to
> > do the lookup? What does dig +trace say when it tries to look it up?
> >
> >> It takes a few seconds for it to give that response. Like it can't
> >> even query the server with that string. However I have not had any
> >> problems resolving any other domains. It doesn't even act like it
> >> would with a domain that doesn't exist at all. It immediately
> >> responds back with a "not found: 3(NXDOMAIN)"
> >>
> >> The only changes I have made since last week are to my zone files for
> >> my local domain hostnames. I double check all entries I make using
> >> forward and reverse lookups. BIND is not complaining about anything.
> >> Anyone see this before?
> >>
> >> David.
> >>
> >>
> >>

> >
> >
> > --
> > Stephen J Smoogen. -- CSIRT/Linux System Administrator
> > How far that little candle throws his beams! So shines a good deed
> > in a naughty world. = Shakespeare. "The Merchant of Venice"

>
> By non recursive, it doesn't allow name resolution for domains
> outside my defined network. I have an ACL in my named.conf that
> allows recursive lookups for anything not in the gat.com domain.
>
> Here is what the dig command gives me for mcmaster.com.
>
> ================================================== ======================
> =
> emac-dmiller:~ millerdc$ dig @192.5.166.12 +trace mcmaster.com
>
> ; <<>> DiG 9.3.2 <<>> @192.5.166.12 +trace mcmaster.com
> ; (1 server found)
> ;; global options: printcmd
> . 3600000 IN NS M.ROOT-SERVERS.NET.
> . 3600000 IN NS A.ROOT-SERVERS.NET.
> . 3600000 IN NS B.ROOT-SERVERS.NET.
> . 3600000 IN NS C.ROOT-SERVERS.NET.
> . 3600000 IN NS D.ROOT-SERVERS.NET.
> . 3600000 IN NS E.ROOT-SERVERS.NET.
> . 3600000 IN NS F.ROOT-SERVERS.NET.
> . 3600000 IN NS G.ROOT-SERVERS.NET.
> . 3600000 IN NS H.ROOT-SERVERS.NET.
> . 3600000 IN NS I.ROOT-SERVERS.NET.
> . 3600000 IN NS J.ROOT-SERVERS.NET.
> . 3600000 IN NS K.ROOT-SERVERS.NET.
> . 3600000 IN NS L.ROOT-SERVERS.NET.
> ;; Received 228 bytes from 192.5.166.12#53(192.5.166.12) in 2 ms
>
> com. 172800 IN NS A.GTLD-SERVERS.NET.
> com. 172800 IN NS B.GTLD-SERVERS.NET.
> com. 172800 IN NS C.GTLD-SERVERS.NET.
> com. 172800 IN NS D.GTLD-SERVERS.NET.
> com. 172800 IN NS E.GTLD-SERVERS.NET.
> com. 172800 IN NS F.GTLD-SERVERS.NET.
> com. 172800 IN NS G.GTLD-SERVERS.NET.
> com. 172800 IN NS H.GTLD-SERVERS.NET.
> com. 172800 IN NS I.GTLD-SERVERS.NET.
> com. 172800 IN NS J.GTLD-SERVERS.NET.
> com. 172800 IN NS K.GTLD-SERVERS.NET.
> com. 172800 IN NS L.GTLD-SERVERS.NET.
> com. 172800 IN NS M.GTLD-SERVERS.NET.
> ;; Received 490 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 126 ms
>
> mcmaster.com. 172800 IN NS ns1.mcmaster.com.
> mcmaster.com. 172800 IN NS ns2.mcmaster.com.
> mcmaster.com. 172800 IN NS ns3.mcmaster.com.
> ;; Received 132 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 100 ms
>


mcmaster.com. 172800 IN NS ns1.mcmaster.com.
mcmaster.com. 172800 IN NS ns2.mcmaster.com.
mcmaster.com. 172800 IN NS ns3.mcmaster.com.
;; Received 132 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 73 ms

mcmaster.com. 60 IN A 209.64.25.230
;; Received 46 bytes from 209.64.25.241#53(ns1.mcmaster.com) in 44 ms


I would check for a firewall issue or a BOGUS issue that isnt allowing
you to get the IP data for that last hop.

--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"