LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   [DNS] DIG can't resolve but HOST and NSLOOKUP can (https://www.linuxquestions.org/questions/linux-networking-3/%5Bdns%5D-dig-cant-resolve-but-host-and-nslookup-can-4175735830/)

banderas20 04-09-2024 06:30 AM
[DNS] DIG can't resolve but HOST and NSLOOKUP can
 
Hi!

I have set up a bind9 local DNS with rescursion turned off.

From the DNS server, if I query google.es using DIG it returns:

;; WARNING: recursion requested but not available

However, if I use HOST, it works:

google.es has address 216.58.215.131

Same happens with NSLOOKUP

nslookup google.es
;; Got recursion not available from 172.17.70.1, trying next server
Server: 212.230.135.2
Address: 212.230.135.2#53

I expected neither of them to succeed.

Why this behaviour?

Thanks!

smallpond 04-09-2024 08:05 AM
What is in /etc/resolv.conf?

bathory 04-09-2024 09:36 AM
Quote:
From the DNS server, if I query google.es using DIG it returns:

;; WARNING: recursion requested but not available
This is not an error. It's a warning meaning that 216.239.38.10 (the authoritative nameserver) does not provide recursion.

After this warning you should see the answer to your query:
Code:
dig google.es @216.239.32.10

; <<>> DiG 9.19.17 <<>> google.es @216.239.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44047
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.es.                        IN        A

;; ANSWER SECTION:
google.es.                300        IN        A        142.251.140.67

;; Query time: 68 msec
;; SERVER: 216.239.32.10#53(216.239.32.10) (UDP)
;; WHEN: Tue Apr 09 17:32:04 EEST 2024
;; MSG SIZE  rcvd: 54

banderas20 04-09-2024 12:37 PM
Quote:
Originally Posted by bathory
This is not an error. It's a warning meaning that 216.239.38.10 (the authoritative nameserver) does not provide recursion.
I omitted the full output for abbreviation. I get this:

Code:
; <<>> DiG 9.16.48-Ubuntu <<>> google.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27264
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 80f92978ecbb53dc0100000066157b669c16f9a7882752a4 (good)
;; QUESTION SECTION:
;google.es.                        IN        A

;; Query time: 0 msec
;; SERVER: 172.17.70.1#53(172.17.70.1)
;; WHEN: Tue Apr 09 19:31:18 CEST 2024
;; MSG SIZE  rcvd: 66
172.17.70.1 is my local DNS server.



Quote:
Originally Posted by smallpond
What is in /etc/resolv.conf?
nameserver 172.17.70.1
nameserver 212.230.135.2
nameserver 212.230.135.1


172.17.70.1 is my local DNS server.
The other 2 IPs must come from another external interface.

Thanks!

bathory 04-09-2024 04:11 PM
Quote:
I omitted the full output for abbreviation. I get this:

; <<>> DiG 9.16.48-Ubuntu <<>> google.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27264
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 80f92978ecbb53dc0100000066157b669c16f9a7882752a4 (good)
;; QUESTION SECTION:
;google.es. IN A

;; Query time: 0 msec
;; SERVER: 172.17.70.1#53(172.17.70.1)
;; WHEN: Tue Apr 09 19:31:18 CEST 2024
;; MSG SIZE rcvd: 66
As you can see from the dig command output above, you get a REFUSED answer to your query from 172.17.70.1, meaning that you are not allowed to use this nameserver.

banderas20 04-10-2024 04:46 AM
Quote:
Originally Posted by bathory (Post 6495049)
As you can see from the dig command output above, you get a REFUSED answer to your query from 172.17.70.1, meaning that you are not allowed to use this nameserver.
Hi! I get that. Since I have 3 DNS servers configured. If the first one fails, it proceeds with the next one (as shown in nslookup output). But why dig fails to resolve without trying the other two nameservers?

Thanks!

lvm_ 04-10-2024 05:28 AM
A wise man once said: 'If everything else fails, read the man page'.

Code:
      +[no]fail
              This  option indicates that named should try [or not try] the next server if a SERVFAIL is received. The default is to not
              try the next server, which is the reverse of normal stub resolver behavior.

banderas20 04-10-2024 12:32 PM
Quote:
Originally Posted by lvm_ (Post 6495130)
A wise man once said: 'If everything else fails, read the man page'.

Code:
      +[no]fail
              This  option indicates that named should try [or not try] the next server if a SERVFAIL is received. The default is to not
              try the next server, which is the reverse of normal stub resolver behavior.
thanks. man! :)


All times are GMT -5. The time now is 06:06 PM.