Linux BIND refuses to resolve Microsoft domains???

ddekeyser2000 · 01-28-2009, 03:48 PM

Hi all!

I am baffled by this problem. I have setup a BIND 9.5.1-P1 service on a Fedora Core 9 server. Clients, that point to this server and our service provider as a secondary, resolve www.google.com and local names with no problem. Yet they cannot resolve any Microsoft names (i.e. msn.com, msdn.com, hotmail.com, etc.)!! Now, I have my own bias against Micro$**t but I don't know why BIND would. If I place my client(laptop) outside of our firewall so that it only gets our service provider's DNS, Micro$**t's names resolve without any problem.

In fact, this same configuration was used on a previous Fedora Core 6 system without problems. The only change was that I needed to uncomment this line:

query-source port 53;

I have used yum to completely update everything on the server. 'yum update' returns no more updates.

Here is my named.conf file:

Code:

options {
        directory "/var/named";

        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out.  But you probably
        // need to talk to your firewall admin.

        query-source port 53;

};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
        algorithm hmac-md5;
        secret "tsktsktsk";
};

key "DHCP_UPDATER" {
         algorithm hmac-md5;
         secret "nada";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        allow-transfer { 127.0.0.1; };
        allow-update { none; };
        file "pz/127.0.0";
};

zone "example.com" {
        type master;
        notify no;
        allow-transfer { 127.0.0.1; };
        allow-update { key "DHCP_UPDATER"; };
        file "pz/example.com";
};

zone "0.30.172.in-addr.arpa" {
        type master;
        notify no;
        allow-transfer { 127.0.0.1; };
        allow-update { key "DHCP_UPDATER"; };
        file "pz/example-reverse";
};

Any help would be greatly appreciated. Thanks in advance!

bathory · 01-28-2009, 04:20 PM

Are you sure that you cannot resolve just the M$ domains?
Because you need the hint zone "." in order to be able to resolve domains that your dns is not authoritative.
Add

Code:

 zone "." in {
 type hint;
 file "root.hints";
 };

in /etc/named.conf and run

Code:

dig @a.root-servers.net . ns > root.hints

to get the latest hint zone file. If you cannot resolve a.root-servers.net, use its IP: 198.41.0.4

Regards

ddekeyser2000 · 01-28-2009, 04:35 PM

Thanks! I'll give that a try.

ddekeyser2000 · 01-28-2009, 04:42 PM

Thanks for the reply but unfortunately that did not help.

Here is the result of an nslookup:

Code:

# nslookup www.msn.com
;; connection timed out; no servers could be reached

...and another that was successful (modified)...

Code:

nslookup www.linuxquestions.org
Server:         172.30.0.xx
Address:        172.30.0.xx#53

Non-authoritative answer:
Name:   www.linuxquestions.org
Address: 75.126.162.205

ddekeyser2000 · 01-28-2009, 04:54 PM

Quick note: Those two nslookups were done successively from the same system.

bathory · 01-29-2009, 02:20 AM

Quote:

Originally Posted by ddekeyser2000

Quick note: Those two nslookups were done successively from the same system.

If the same system cannot contact always the dns, then this is a network or firewall problem.
The fact that the 1st time that failed to contact the dns you're looking up msn.com and the 2nd time it succeeded to lookup linuxquestions.org, I think it's purely random.
You can use dig to investigate further

Code:

dig +trace www.msn.com

or disable the "query-source port 53' option and see if it helps.

ddekeyser2000 · 01-29-2009, 09:49 AM

The nslookup's that I showed you were just two of many. It consistently fails for Microsoft sites. It consistently works for any other name.

The dig with trace produced some interesting results.

Code:

# dig +trace www.msn.com

; <<>> DiG 9.5.1-P1 <<>> +trace www.msn.com
;; global options:  printcmd
.                       468187  IN      NS      H.ROOT-SERVERS.NET.
.                       468187  IN      NS      D.ROOT-SERVERS.NET.
.                       468187  IN      NS      J.ROOT-SERVERS.NET.
.                       468187  IN      NS      B.ROOT-SERVERS.NET.
.                       468187  IN      NS      C.ROOT-SERVERS.NET.
.                       468187  IN      NS      A.ROOT-SERVERS.NET.
.                       468187  IN      NS      M.ROOT-SERVERS.NET.
.                       468187  IN      NS      K.ROOT-SERVERS.NET.
.                       468187  IN      NS      G.ROOT-SERVERS.NET.
.                       468187  IN      NS      F.ROOT-SERVERS.NET.
.                       468187  IN      NS      E.ROOT-SERVERS.NET.
.                       468187  IN      NS      I.ROOT-SERVERS.NET.
.                       468187  IN      NS      L.ROOT-SERVERS.NET.
;; Received 488 bytes from 172.30.0.35#53(172.30.0.35) in 2 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 489 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 55 ms

msn.com.                172800  IN      NS      ns1.msft.net.
msn.com.                172800  IN      NS      ns2.msft.net.
msn.com.                172800  IN      NS      ns3.msft.net.
msn.com.                172800  IN      NS      ns4.msft.net.
msn.com.                172800  IN      NS      ns5.msft.net.
;; Received 207 bytes from 192.42.93.30#53(g.gtld-servers.net) in 71 ms

dig: couldn't get address for 'ns1.msft.net': failure

Code:

# dig +trace ns1.msft.net

; <<>> DiG 9.5.1-P1 <<>> +trace ns1.msft.net
;; global options:  printcmd
.                       468079  IN      NS      J.ROOT-SERVERS.NET.
.                       468079  IN      NS      E.ROOT-SERVERS.NET.
.                       468079  IN      NS      K.ROOT-SERVERS.NET.
.                       468079  IN      NS      G.ROOT-SERVERS.NET.
.                       468079  IN      NS      H.ROOT-SERVERS.NET.
.                       468079  IN      NS      B.ROOT-SERVERS.NET.
.                       468079  IN      NS      C.ROOT-SERVERS.NET.
.                       468079  IN      NS      M.ROOT-SERVERS.NET.
.                       468079  IN      NS      I.ROOT-SERVERS.NET.
.                       468079  IN      NS      A.ROOT-SERVERS.NET.
.                       468079  IN      NS      L.ROOT-SERVERS.NET.
.                       468079  IN      NS      D.ROOT-SERVERS.NET.
.                       468079  IN      NS      F.ROOT-SERVERS.NET.
;; Received 500 bytes from 172.30.0.35#53(172.30.0.35) in 1 ms

net.                    172800  IN      NS      K.GTLD-SERVERS.net.
net.                    172800  IN      NS      M.GTLD-SERVERS.net.
net.                    172800  IN      NS      D.GTLD-SERVERS.net.
net.                    172800  IN      NS      J.GTLD-SERVERS.net.
net.                    172800  IN      NS      B.GTLD-SERVERS.net.
net.                    172800  IN      NS      H.GTLD-SERVERS.net.
net.                    172800  IN      NS      A.GTLD-SERVERS.net.
net.                    172800  IN      NS      L.GTLD-SERVERS.net.
net.                    172800  IN      NS      I.GTLD-SERVERS.net.
net.                    172800  IN      NS      F.GTLD-SERVERS.net.
net.                    172800  IN      NS      G.GTLD-SERVERS.net.
net.                    172800  IN      NS      E.GTLD-SERVERS.net.
net.                    172800  IN      NS      C.GTLD-SERVERS.net.
;; Received 487 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 77 ms

ns1.msft.net.           172800  IN      A       207.68.160.190
msft.net.               172800  IN      NS      ns1.msft.net.
msft.net.               172800  IN      NS      ns2.msft.net.
msft.net.               172800  IN      NS      ns3.msft.net.
msft.net.               172800  IN      NS      ns4.msft.net.
msft.net.               172800  IN      NS      ns5.msft.net.
;; Received 212 bytes from 192.5.6.30#53(A.GTLD-SERVERS.net) in 115 ms

I'm not sure why on the first one it said it couldn't get the address for ns1.msft.net but the second obviously did.

ddekeyser2000 · 01-29-2009, 09:53 AM

I'll try to disable the 'query-source port 53' option after my users go home tonight. Could you explain that option to me? I didn't need it before (when the server was on Fedora Core 6).

Thanks!

bathory · 01-29-2009, 12:11 PM

Quote:

I'll try to disable the 'query-source port 53' option after my users go home tonight. Could you explain that option to me? I didn't need it before (when the server was on Fedora Core 6).

This option is used when your firewall permits outgoing traffic only from source port 53 (or some other ports you have specified) and block anything else.
In a default situation bind only accepts queries from clients on port 53 and uses other random unprivileged ports when it acts as a client and contact another dns for a domain it cannot resolve.
Now the fact it's not resolving the M$ domains, is really strange. Did you run the dig command to get the latest root.hints file? Because I see that your "dig +trace" uses the K.ROOT-SERVERS.NET that does not exist in my root.hints that I've just downoaded. Maybe K.ROOT-SERVERS.NET is not used and thus it's .outdated

ddekeyser2000 · 01-29-2009, 12:34 PM

Thanks for the option description. I'm not sure why I need that now when I didn't need it before. I haven't made any changes to my firewall.

I did do the dig command as you requested before to create the root.hints file. The K server was included.

I deleted the 'K' server from the file and restarted 'named'. It still does not resolve Microsoft but still resolves everything else.

bathory · 01-29-2009, 12:57 PM

Quote:

I'm not sure why I need that now when I didn't need it before. I haven't made any changes to my firewall.

Are you sure you need it? If you do and you haven't changed anything in the configuration of your firewall then it's maybe selinux.

Quote:

I did do the dig command as you requested before to create the root.hints file. The K server was included.

I deleted the 'K' server from the file and restarted 'named'. It still does not resolve Microsoft but still resolves everything else.

Well the correct root.hints should contain the k root servers. It seems that the a.root-server I used is outdated.

ddekeyser2000 · 01-30-2009, 03:27 PM

Thanks for all of your help bathory! I was unable to work on this problem today. I'll revisit this on Monday.

Thanks again!

ddekeyser2000 · 02-03-2009, 12:14 PM

OKAY, I'm not sure why this worked but I just commented out:

// query-source port 53;

...and everything seems to be working fine now. I'm not sure why it didn't work before. Unfortunately, there is some other variable that I'm not seeing that must have changed.

Sorry to anyone looking at this for answers. Maybe it will give you a hint if you have a similar issue.

Thanks for all of your help bathory!!!