LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Linux BIND refuses to resolve Microsoft domains??? (http://www.linuxquestions.org/questions/linux-server-73/linux-bind-refuses-to-resolve-microsoft-domains-700621/)

ddekeyser2000 01-28-2009 03:48 PM
Linux BIND refuses to resolve Microsoft domains???
 
Hi all!

I am baffled by this problem. I have setup a BIND 9.5.1-P1 service on a Fedora Core 9 server. Clients, that point to this server and our service provider as a secondary, resolve www.google.com and local names with no problem. Yet they cannot resolve any Microsoft names (i.e. msn.com, msdn.com, hotmail.com, etc.)!! Now, I have my own bias against Micro$**t but I don't know why BIND would. If I place my client(laptop) outside of our firewall so that it only gets our service provider's DNS, Micro$**t's names resolve without any problem.

In fact, this same configuration was used on a previous Fedora Core 6 system without problems. The only change was that I needed to uncomment this line:

query-source port 53;

I have used yum to completely update everything on the server. 'yum update' returns no more updates.

Here is my named.conf file:

Code:
options {
        directory "/var/named";

        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out.  But you probably
        // need to talk to your firewall admin.

        query-source port 53;

};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
        algorithm hmac-md5;
        secret "tsktsktsk";
};

key "DHCP_UPDATER" {
        algorithm hmac-md5;
        secret "nada";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        allow-transfer { 127.0.0.1; };
        allow-update { none; };
        file "pz/127.0.0";
};

zone "example.com" {
        type master;
        notify no;
        allow-transfer { 127.0.0.1; };
        allow-update { key "DHCP_UPDATER"; };
        file "pz/example.com";
};

zone "0.30.172.in-addr.arpa" {
        type master;
        notify no;
        allow-transfer { 127.0.0.1; };
        allow-update { key "DHCP_UPDATER"; };
        file "pz/example-reverse";
};
Any help would be greatly appreciated. Thanks in advance!

bathory 01-28-2009 04:20 PM
Are you sure that you cannot resolve just the M$ domains?
Because you need the hint zone "." in order to be able to resolve domains that your dns is not authoritative.
Add
Code:
zone "." in {
 type hint;
 file "root.hints";
 };
in /etc/named.conf and run
Code:
dig @a.root-servers.net . ns > root.hints
to get the latest hint zone file. If you cannot resolve a.root-servers.net, use its IP: 198.41.0.4

Regards

ddekeyser2000 01-28-2009 04:35 PM
Thanks! I'll give that a try.

ddekeyser2000 01-28-2009 04:42 PM
Thanks for the reply but unfortunately that did not help.

Here is the result of an nslookup:

Code:
# nslookup www.msn.com
;; connection timed out; no servers could be reached
...and another that was successful (modified)...

Code:
nslookup www.linuxquestions.org
Server:        172.30.0.xx
Address:        172.30.0.xx#53

Non-authoritative answer:
Name:  www.linuxquestions.org
Address: 75.126.162.205

ddekeyser2000 01-28-2009 04:54 PM
Quick note: Those two nslookups were done successively from the same system.

bathory 01-29-2009 02:20 AM
Quote:
Originally Posted by ddekeyser2000 (Post 3424553)
Quick note: Those two nslookups were done successively from the same system.
If the same system cannot contact always the dns, then this is a network or firewall problem.
The fact that the 1st time that failed to contact the dns you're looking up msn.com and the 2nd time it succeeded to lookup linuxquestions.org, I think it's purely random.
You can use dig to investigate further
Code:
dig +trace www.msn.com
or disable the "query-source port 53' option and see if it helps.

ddekeyser2000 01-29-2009 09:49 AM
The nslookup's that I showed you were just two of many. It consistently fails for Microsoft sites. It consistently works for any other name.

The dig with trace produced some interesting results.

Code:
# dig +trace www.msn.com

; <<>> DiG 9.5.1-P1 <<>> +trace www.msn.com
;; global options:  printcmd
.                      468187  IN      NS      H.ROOT-SERVERS.NET.
.                      468187  IN      NS      D.ROOT-SERVERS.NET.
.                      468187  IN      NS      J.ROOT-SERVERS.NET.
.                      468187  IN      NS      B.ROOT-SERVERS.NET.
.                      468187  IN      NS      C.ROOT-SERVERS.NET.
.                      468187  IN      NS      A.ROOT-SERVERS.NET.
.                      468187  IN      NS      M.ROOT-SERVERS.NET.
.                      468187  IN      NS      K.ROOT-SERVERS.NET.
.                      468187  IN      NS      G.ROOT-SERVERS.NET.
.                      468187  IN      NS      F.ROOT-SERVERS.NET.
.                      468187  IN      NS      E.ROOT-SERVERS.NET.
.                      468187  IN      NS      I.ROOT-SERVERS.NET.
.                      468187  IN      NS      L.ROOT-SERVERS.NET.
;; Received 488 bytes from 172.30.0.35#53(172.30.0.35) in 2 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 489 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 55 ms

msn.com.                172800  IN      NS      ns1.msft.net.
msn.com.                172800  IN      NS      ns2.msft.net.
msn.com.                172800  IN      NS      ns3.msft.net.
msn.com.                172800  IN      NS      ns4.msft.net.
msn.com.                172800  IN      NS      ns5.msft.net.
;; Received 207 bytes from 192.42.93.30#53(g.gtld-servers.net) in 71 ms

dig: couldn't get address for 'ns1.msft.net': failure
Code:
# dig +trace ns1.msft.net

; <<>> DiG 9.5.1-P1 <<>> +trace ns1.msft.net
;; global options:  printcmd
.                      468079  IN      NS      J.ROOT-SERVERS.NET.
.                      468079  IN      NS      E.ROOT-SERVERS.NET.
.                      468079  IN      NS      K.ROOT-SERVERS.NET.
.                      468079  IN      NS      G.ROOT-SERVERS.NET.
.                      468079  IN      NS      H.ROOT-SERVERS.NET.
.                      468079  IN      NS      B.ROOT-SERVERS.NET.
.                      468079  IN      NS      C.ROOT-SERVERS.NET.
.                      468079  IN      NS      M.ROOT-SERVERS.NET.
.                      468079  IN      NS      I.ROOT-SERVERS.NET.
.                      468079  IN      NS      A.ROOT-SERVERS.NET.
.                      468079  IN      NS      L.ROOT-SERVERS.NET.
.                      468079  IN      NS      D.ROOT-SERVERS.NET.
.                      468079  IN      NS      F.ROOT-SERVERS.NET.
;; Received 500 bytes from 172.30.0.35#53(172.30.0.35) in 1 ms

net.                    172800  IN      NS      K.GTLD-SERVERS.net.
net.                    172800  IN      NS      M.GTLD-SERVERS.net.
net.                    172800  IN      NS      D.GTLD-SERVERS.net.
net.                    172800  IN      NS      J.GTLD-SERVERS.net.
net.                    172800  IN      NS      B.GTLD-SERVERS.net.
net.                    172800  IN      NS      H.GTLD-SERVERS.net.
net.                    172800  IN      NS      A.GTLD-SERVERS.net.
net.                    172800  IN      NS      L.GTLD-SERVERS.net.
net.                    172800  IN      NS      I.GTLD-SERVERS.net.
net.                    172800  IN      NS      F.GTLD-SERVERS.net.
net.                    172800  IN      NS      G.GTLD-SERVERS.net.
net.                    172800  IN      NS      E.GTLD-SERVERS.net.
net.                    172800  IN      NS      C.GTLD-SERVERS.net.
;; Received 487 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 77 ms

ns1.msft.net.          172800  IN      A      207.68.160.190
msft.net.              172800  IN      NS      ns1.msft.net.
msft.net.              172800  IN      NS      ns2.msft.net.
msft.net.              172800  IN      NS      ns3.msft.net.
msft.net.              172800  IN      NS      ns4.msft.net.
msft.net.              172800  IN      NS      ns5.msft.net.
;; Received 212 bytes from 192.5.6.30#53(A.GTLD-SERVERS.net) in 115 ms
I'm not sure why on the first one it said it couldn't get the address for ns1.msft.net but the second obviously did.

ddekeyser2000 01-29-2009 09:53 AM
I'll try to disable the 'query-source port 53' option after my users go home tonight. Could you explain that option to me? I didn't need it before (when the server was on Fedora Core 6).

Thanks!

bathory 01-29-2009 12:11 PM
Quote:
I'll try to disable the 'query-source port 53' option after my users go home tonight. Could you explain that option to me? I didn't need it before (when the server was on Fedora Core 6).
This option is used when your firewall permits outgoing traffic only from source port 53 (or some other ports you have specified) and block anything else.
In a default situation bind only accepts queries from clients on port 53 and uses other random unprivileged ports when it acts as a client and contact another dns for a domain it cannot resolve.
Now the fact it's not resolving the M$ domains, is really strange. Did you run the dig command to get the latest root.hints file? Because I see that your "dig +trace" uses the K.ROOT-SERVERS.NET that does not exist in my root.hints that I've just downoaded. Maybe K.ROOT-SERVERS.NET is not used and thus it's .outdated

ddekeyser2000 01-29-2009 12:34 PM
Thanks for the option description. I'm not sure why I need that now when I didn't need it before. I haven't made any changes to my firewall.

I did do the dig command as you requested before to create the root.hints file. The K server was included.

I deleted the 'K' server from the file and restarted 'named'. It still does not resolve Microsoft but still resolves everything else.

bathory 01-29-2009 12:57 PM
Quote:
I'm not sure why I need that now when I didn't need it before. I haven't made any changes to my firewall.
Are you sure you need it? If you do and you haven't changed anything in the configuration of your firewall then it's maybe selinux.
Quote:
I did do the dig command as you requested before to create the root.hints file. The K server was included.

I deleted the 'K' server from the file and restarted 'named'. It still does not resolve Microsoft but still resolves everything else.
Well the correct root.hints should contain the k root servers. It seems that the a.root-server I used is outdated.

ddekeyser2000 01-30-2009 03:27 PM
Thanks for all of your help bathory! I was unable to work on this problem today. I'll revisit this on Monday.

Thanks again!

ddekeyser2000 02-03-2009 12:14 PM
OKAY, I'm not sure why this worked but I just commented out:

// query-source port 53;

...and everything seems to be working fine now. I'm not sure why it didn't work before. Unfortunately, there is some other variable that I'm not seeing that must have changed.

Sorry to anyone looking at this for answers. Maybe it will give you a hint if you have a similar issue.

Thanks for all of your help bathory!!!


All times are GMT -5. The time now is 04:11 PM.