[SOLVED] [DNS] DIG can't resolve but HOST and NSLOOKUP can

banderas20 · 04-09-2024, 06:30 AM

Hi!

I have set up a bind9 local DNS with rescursion turned off.

From the DNS server, if I query google.es using DIG it returns:

;; WARNING: recursion requested but not available

However, if I use HOST, it works:

google.es has address 216.58.215.131

Same happens with NSLOOKUP

nslookup google.es
;; Got recursion not available from 172.17.70.1, trying next server
Server: 212.230.135.2
Address: 212.230.135.2#53

I expected neither of them to succeed.

Why this behaviour?

Thanks!

smallpond · 04-09-2024, 08:05 AM

What is in /etc/resolv.conf?

bathory · 04-09-2024, 09:36 AM

Quote:

From the DNS server, if I query google.es using DIG it returns:

;; WARNING: recursion requested but not available

This is not an error. It's a warning meaning that 216.239.38.10 (the authoritative nameserver) does not provide recursion.

After this warning you should see the answer to your query:

Code:

dig google.es @216.239.32.10

; <<>> DiG 9.19.17 <<>> google.es @216.239.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44047
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.es.			IN	A

;; ANSWER SECTION:
google.es.		300	IN	A	142.251.140.67

;; Query time: 68 msec
;; SERVER: 216.239.32.10#53(216.239.32.10) (UDP)
;; WHEN: Tue Apr 09 17:32:04 EEST 2024
;; MSG SIZE  rcvd: 54

banderas20 · 04-09-2024, 12:37 PM

Quote:

Originally Posted by bathory

This is not an error. It's a warning meaning that 216.239.38.10 (the authoritative nameserver) does not provide recursion.

I omitted the full output for abbreviation. I get this:

Code:

; <<>> DiG 9.16.48-Ubuntu <<>> google.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27264
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 80f92978ecbb53dc0100000066157b669c16f9a7882752a4 (good)
;; QUESTION SECTION:
;google.es.			IN	A

;; Query time: 0 msec
;; SERVER: 172.17.70.1#53(172.17.70.1)
;; WHEN: Tue Apr 09 19:31:18 CEST 2024
;; MSG SIZE  rcvd: 66

172.17.70.1 is my local DNS server.

Quote:

Originally Posted by smallpond

What is in /etc/resolv.conf?

nameserver 172.17.70.1
nameserver 212.230.135.2
nameserver 212.230.135.1

172.17.70.1 is my local DNS server.
The other 2 IPs must come from another external interface.

Thanks!

bathory · 04-09-2024, 04:11 PM

Quote:

I omitted the full output for abbreviation. I get this:

; <<>> DiG 9.16.48-Ubuntu <<>> google.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27264
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 80f92978ecbb53dc0100000066157b669c16f9a7882752a4 (good)
;; QUESTION SECTION:
;google.es. IN A

;; Query time: 0 msec
;; SERVER: 172.17.70.1#53(172.17.70.1)
;; WHEN: Tue Apr 09 19:31:18 CEST 2024
;; MSG SIZE rcvd: 66

As you can see from the dig command output above, you get a REFUSED answer to your query from 172.17.70.1, meaning that you are not allowed to use this nameserver.

banderas20 · 04-10-2024, 04:46 AM

Quote:

Originally Posted by bathory

As you can see from the dig command output above, you get a REFUSED answer to your query from 172.17.70.1, meaning that you are not allowed to use this nameserver.

Hi! I get that. Since I have 3 DNS servers configured. If the first one fails, it proceeds with the next one (as shown in nslookup output). But why dig fails to resolve without trying the other two nameservers?

Thanks!

lvm_ · 04-10-2024, 05:28 AM

A wise man once said: 'If everything else fails, read the man page'.

Code:

       +[no]fail
              This  option indicates that named should try [or not try] the next server if a SERVFAIL is received. The default is to not
              try the next server, which is the reverse of normal stub resolver behavior.

banderas20 · 04-10-2024, 12:32 PM

Quote:

Originally Posted by lvm_

A wise man once said: 'If everything else fails, read the man page'.

Code:

       +[no]fail
              This  option indicates that named should try [or not try] the next server if a SERVFAIL is received. The default is to not
              try the next server, which is the reverse of normal stub resolver behavior.

thanks. man!