DNS Problem (BIND)

**d45h** · 01-04-2010, 03:50 AM

Yet another development:

TCP DNS queries work just fine, as confirmed by getting a response by issuing dig +tcp @server_ip
UDP queries are not even getting to the server.

**peter** · 01-04-2010, 04:09 AM

Are they getting there but the queries are being blocked on the return? What do your /var/log/messages error logs say?

**d45h** · 01-04-2010, 04:14 AM

No the UDP queries aren't even reaching the server according to the packet capture. There's nothing about it in messages.

**peter** · 01-04-2010, 04:29 AM

Is your DNS server listed as the authoritative server for the domain at your registrar, like Verisign or Godaddy? Other DNS servers may not know where to visit to get domain information.

**d45h** · 01-04-2010, 04:39 AM

I bought the domain through godddy. I set up host records pointing to my server and then set the DNS to those records. Godaddy requires 2 DNS servers, but I have both of them pointing to the same IP.

**peter** · 01-04-2010, 01:21 PM

What does the output of the dig command give?

Code:

# dig domain-name.com

Are your name servers visible?

**d45h** · 01-04-2010, 05:43 PM

It times out, which makes sense, because the root servers should be pointing at my name server, which isn't accepting udp queries.

However when I try a tcp query to a different public dns server it times out.

This is what it does if I force dig to use my nameserver.

; <<>> DiG 9.4.3-P1 <<>> +tcp @64.79.45.135 d45h.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36913
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;d45h.net. IN A

;; ANSWER SECTION:
d45h.net. 86400 IN A 64.79.45.135

;; AUTHORITY SECTION:
d45h.net. 86400 IN NS ns2.d45h.net.
d45h.net. 86400 IN NS ns1.d45h.net.

;; ADDITIONAL SECTION:
ns1.d45h.net. 86400 IN A 64.79.45.135
ns2.d45h.net. 86400 IN A 64.79.45.135

;; Query time: 103 msec
;; SERVER: 64.79.45.135#53(64.79.45.135)
;; WHEN: Mon Jan 4 11:33:55 2010
;; MSG SIZE rcvd: 110

**d45h** · 01-07-2010, 05:27 PM

So it turns out I was wrong about the ISP. They block all DNS traffic from any IP outside their network. They were having trouble with DoS attacks, so they just blocked it all together at the Edge.

**peter** · 01-07-2010, 09:29 PM

So are they going to change the policy?

**d45h** · 01-07-2010, 09:45 PM

No, but they will provide free DNS service for my domain. So I won't have control over the DNS server, but at least DNS for my domain will function. Oh well.