LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-13-2019, 12:30 AM   #1
avian
LQ Newbie
 
Registered: Aug 2014
Posts: 7

Rep: Reputation: Disabled
bind 9.14 in slackware-current resolving question


I have a bind/named question that I'm hoping one of you gurus can help me with. I've spent the weekend on it and its exceeding my level of knowledge.

On a fresh install of slackware-current, with bind (9.14.x) running with the default caching example config files (or otherwise, but without forwarding, and with the "-4" ipv4 only option if you can), can anyone successfully resolve "www.ing.com.au" ? I mean "ing.com.au" resolves fine for me, just wondering if "www.ing.com.au" resolves (preferably without resolving *.clb.ing.com.au first which seems to kick it along).

I thought it was due to some configuration files I carried over from an old 14.1 install, but a fresh install of slack-current in a VM seems to have the same behavior. Yet my old 14.1 install carried over to a VM resolves it fine. Is there something I'm missing in the jump from bind-9.11 to bind-9.14 ?
 
Old 05-14-2019, 02:55 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,676
Blog Entries: 15

Rep: Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581
Can you show us what you have in the zone file for ing.com.au - it would help.

You can test external to your system by using sites https://tools.dnsstuff.com/

There lookup of ing.com.au returns:
ing.com.au. A IN 300 8ms 203.31.183.134

Lookup of www.ing.com.au returns:
www.ing.com.au. CNAME IN 300 7ms www.clb.ing.com.au.

I was able to resolve same on another system as well. Initially the www.ing.com.au failed but www.clb.ing.com.au worked so I suspect you figured out the issue while I was typing this up. Presumably it was a problem with the CNAME.
 
Old 05-14-2019, 06:29 PM   #3
avian
LQ Newbie
 
Registered: Aug 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by MensaWater View Post
Can you show us what you have in the zone file for ing.com.au - it would help.
Thanks for the assistance MensaWater. I wasnt very clear in my first post. I'm running bind with some of my own zone files (they are all working well) but ing.com.au isnt one of them (its actually a major bank). So its just the caching portion of bind that seems to be giving me grief.


Quote:
Originally Posted by MensaWater View Post
Lookup of www.ing.com.au returns:
www.ing.com.au. CNAME IN 300 7ms www.clb.ing.com.au.
When using bind 9.11.x on Slackware-14.1, an nslookup gives me :

Code:
> www.ing.com.au
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
www.ing.com.au	canonical name = www.clb.ing.com.au.
Name:	www.clb.ing.com.au
Address: 203.31.183.134

When using bind 9.14.x on slackware-current, I get -:

Code:
> www.ing.com.au
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find www.ing.com.au: SERVFAIL
Now if I continue doing a few more nslookups, this is how it appears in order -:

Code:
> ing.com.au
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	ing.com.au
Address: 203.31.183.134

Non-authoritative answer:
Name:	ing.com.au
Address: 203.31.183.134

> www.ing.com.au
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find www.ing.com.au: SERVFAIL

> www.clb.ing.com.au
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	www.clb.ing.com.au
Address: 203.31.183.134

> www.ing.com.au
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
www.ing.com.au	canonical name = www.clb.ing.com.au.
Name:	www.clb.ing.com.au
Address: 203.31.183.134

Quote:
Originally Posted by MensaWater View Post
I was able to resolve same on another system as well. Initially the www.ing.com.au failed but www.clb.ing.com.au worked so I suspect you figured out the issue while I was typing this up. Presumably it was a problem with the CNAME.
It seems to me we are having similar issue resolving www.ing.com.au. I wonder if its an issue on ING's end, but being a major bank, and resolving without issues on any public dns server (1.1.1.1, 8.8.8.8 etc), and resolving without issues on older versions of bind, it has me puzzled.

It doesnt seem to be related to any changes I've made to the config files, as a fresh unmodified slackware-current install (in a VM) gives me the same issues, and a fresh unmodified slackware-14.1 (in a VM) seems to resolve it first go fine.

Last edited by avian; 05-15-2019 at 03:15 AM.
 
Old 05-15-2019, 10:48 AM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,676
Blog Entries: 15

Rep: Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581
You might want to try "dig" rather than "nslookup" as the latter is deprecated.

If it still gives failure you might try "dig +trace" on it to see if it works that way.
 
Old 05-16-2019, 10:27 PM   #5
avian
LQ Newbie
 
Registered: Aug 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
I found the issue and a solution, and will document it incase it helps someone in the future.

Quote:
Originally Posted by MensaWater View Post
You might want to try "dig" rather than "nslookup" as the latter is deprecated.

If it still gives failure you might try "dig +trace" on it to see if it works that way.
Thanks for the suggestions, I really should be using dig (nslookup is an old habbit), but alas a "dig +trace" doesnt help in this situation as it merely mimics a nameservers behaviour (by iterating down the name server tree starting at root), it doesnt exactly replicate what BIND 9.14 was doing internally, even when querying a BIND 9.14 nameserver.

I ended up using tcpdump and compared the requests 9.11 and 9.14 were making when querying www.ing.com.au. BIND 9.14 obfuscated the full host name during queries, which meant that when querying "tcfphywebgtm01-c.ing.com.au" it decided to go one step further down the chain to the next NS, which is actually an ING intranet hostname (tcfphywebgtm01.mgmtau.ingdirect.intranet). This is where it fails.

If you do a query for www.clb.ing.com.au separately, it successfully resolves www.clb.ing.com.au, so while that result is in the cache, it will successfully resolve www.ing.com.au (which is a CNAME to www.clb.ing.com.au). This is why mensawater thought I had repaired the zone file when doing another query on www.ing.com.au at the end. I had the same behaviour here running 9.14.

After looking at the changelogs for 9.14, I found that it enables QNAME-Minimization by default. QNAME-Minimization (according to RFC 7816) is "a technique to improve DNS privacy, [..] where the DNS resolver no longer sends the full original QNAME to the upstream name server.".

So once I added "qname-minimization off;" to named.conf options section all was good. So it seems weirdly that the issue is on ING's end, and their nameservers are misconfigured in regard to qname-minization compatibility. Not surprising considering it is a relatively new (late march) default feature in BINDs stable (9.14.x) branch.

Last edited by avian; 05-16-2019 at 10:30 PM.
 
3 members found this post helpful.
Old 05-17-2019, 09:00 AM   #6
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,676
Blog Entries: 15

Rep: Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581Reputation: 1581
Thanks for sharing your solution. If you don't mind, please go to Thread Tools and mark this "Solved". It makes it easier for others to find solutions in future web searches.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS resolving IP but not resolving hostnames; ping unknown host google.com mattlyons Linux - Networking 15 02-26-2017 04:01 AM
Problems with resolving my website. Need help with BIND norus Linux - Software 3 10-21-2005 09:19 AM
Bind not resolving .org domains ggandy Linux - Networking 0 11-23-2004 05:16 PM
BIND only resolving domain if no "www." noisybastard Linux - Networking 2 11-04-2003 08:19 AM
/etc/hosts resolving before DNS resolving ? markraem Linux - Networking 4 11-02-2003 04:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration