[TriLUG] DNS problems
Aaron S. Joyner
aaron at joyner.ws
Fri Apr 14 01:27:54 EDT 2006
Rick DeNatale wrote:
>On 4/13/06, Brian Henning <brian at strutmasters.com> wrote:
>
>
>>Hi Folks!
>> We just registered a domain in the .com.mx TLD. Wahoo. Here's the
>>problem:
>>
>>Our current domestic web host provides our DNS for our
>>strutmasters.com.mx domain name, and is properly configured:
>>
>>% dig www.strutmasters.com.mx @ns5.esosoft.net
>>--snip--
>>;; ANSWER SECTION:
>>www.strutmasters.com.mx. 43200 IN CNAME strutmasters.com.mx.
>>strutmasters.com.mx. 43200 IN A 161.58.166.59
>>--snip--
>>
>>However, if I do a top-down dig of www.strutmasters.com.mx, I get:
>>
>>% dig www.strutmasters.com.mx
>>--snip--
>>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10002
>>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>>;; QUESTION SECTION:
>>;www.strutmasters.com.mx. IN A
>>
>>;; AUTHORITY SECTION:
>>com.mx. 465 IN SOA a.ns.mx.
>>hostmaster.nic.mx. 446764 3600 300 604800 1800
>>--snip--
>>
>>(but if I dig for just strutmasters.com.mx, I get the correct authority
>>section:
>>;; AUTHORITY SECTION:
>>strutmasters.com.mx. 41836 IN NS ns5.esosoft.net.
>>strutmasters.com.mx. 41836 IN NS ns6.esosoft.net.
>>strutmasters.com.mx. 41836 IN NS ns7.esosoft.net.
>>)
>>
>>
>>That smells to me (a complete novice in the DNS world) like the .com.mx
>>TLD authority (a.ns.mx) is misconfigured and doesn't realize that
>>*.strutmasters.com.mx should fall to the same authority as
>>strutmasters.com.mx.
>>
>>
>
>I think that what it really means is that you've got a default dns
>server which has cached an entry before your domain got to the tld
>servers which hasn't expired yet.
>
>If I look for www.strutmasters.com.mx I get:
>
>$ dig www.strutmasters.com.mx
>---snip---
>;; QUESTION SECTION:
>;www.strutmasters.com.mx. IN A
>
>;; ANSWER SECTION:
>www.strutmasters.com.mx. 42859 IN CNAME strutmasters.com.mx.
>strutmasters.com.mx. 42859 IN A 161.58.166.59
>
>;; AUTHORITY SECTION:
>strutmasters.com.mx. 42859 IN NS ns7.esosoft.net.
>strutmasters.com.mx. 42859 IN NS ns5.esosoft.net.
>strutmasters.com.mx. 42859 IN NS ns6.esosoft.net.
>
>;; ADDITIONAL SECTION:
>ns5.esosoft.net. 56208 IN A 38.118.200.5
>ns6.esosoft.net. 56208 IN A 38.118.200.6
>ns7.esosoft.net. 55992 IN A 66.159.208.230
>
>So I'd look closer to home for the problem. Are you running a local
>caching name server? Had you done a lookup of www.strutmasters.com.mx
>which failed earlier?
>
>If you can't get whatever upstream dns server to flush the cache, the
>solution might be just to wait for the cache entry to expire.
>
>
Rick's assessment is mostly correct. I don't know why you're not seeing
the correct answer back from what ever local resolver you're using (what
ever is in your resolv.conf, which is what's used when you don't specify
a server). All I know from the output you've provided is that a) it'll
work for everyone who's not using that local resolver, and b) that local
resolver can't chase past com.mx, because it probably got an
authoritative NACK (ie. no such record) from com.mx when it first tried
to chase strutmasters.com.mx. That negative caching shouldn't last long
though, probably not long enough for you to gather the information to
compose your email above (like, 5-10 mins). Another possibility is that
you've horribly misconfigured the local resolver, and it thinks it's
responsible for com.mx, and doesn't know about strutmasters.com.mx, but
that's also rather unlikely. It's even more unlikely because the TTL on
the SOA isn't a round number (465), indicating it's probably in the
process of expiring as you were writing the above email, which wouldn't
happen if it were authoritative for com.mx. So I'm at a loss to explain
the dig output you pasted w/o more info.
So in short, as Rick suggested, things are fine from the outside world,
look at your local resolver more closely. An `rndc flush` or analysis
of the output from `rndc dump_db` might prove useful if the problem
still exists.
Here's what the outside world sees, as a +trace:
asjoyner at bob:~$ dig +trace www.strutmasters.com.mx
; <<>> DiG 9.3.1 <<>> +trace www.strutmasters.com.mx
;; global options: printcmd
. 113105 IN NS M.ROOT-SERVERS.NET.
. 113105 IN NS A.ROOT-SERVERS.NET.
. 113105 IN NS B.ROOT-SERVERS.NET.
. 113105 IN NS C.ROOT-SERVERS.NET.
. 113105 IN NS D.ROOT-SERVERS.NET.
. 113105 IN NS E.ROOT-SERVERS.NET.
. 113105 IN NS F.ROOT-SERVERS.NET.
. 113105 IN NS G.ROOT-SERVERS.NET.
. 113105 IN NS H.ROOT-SERVERS.NET.
. 113105 IN NS I.ROOT-SERVERS.NET.
. 113105 IN NS J.ROOT-SERVERS.NET.
. 113105 IN NS K.ROOT-SERVERS.NET.
. 113105 IN NS L.ROOT-SERVERS.NET.
;; Received 244 bytes from 10.0.5.1#53(10.0.5.1) in 1 ms
mx. 172800 IN NS D.NS.mx.
mx. 172800 IN NS A.NS.mx.
mx. 172800 IN NS B.NS.mx.
mx. 172800 IN NS C.NS.mx.
;; Received 172 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 118 ms
strutmasters.com.mx. 86400 IN NS ns5.esosoft.net.
strutmasters.com.mx. 86400 IN NS ns6.esosoft.net.
strutmasters.com.mx. 86400 IN NS ns7.esosoft.net.
;; Received 106 bytes from 207.248.64.1#53(D.NS.mx) in 83 ms
www.strutmasters.com.mx. 43200 IN CNAME strutmasters.com.mx.
strutmasters.com.mx. 43200 IN A 161.58.166.59
strutmasters.com.mx. 43200 IN NS ns5.esosoft.net.
strutmasters.com.mx. 43200 IN NS ns6.esosoft.net.
strutmasters.com.mx. 43200 IN NS ns7.esosoft.net.
;; Received 184 bytes from 38.118.200.5#53(ns5.esosoft.net) in 21 ms
Good luck storming the castle... erm, chasing the problem!
Aaron S. Joyner
More information about the TriLUG
mailing list