Date: Sun, 13 Dec 2009 00:29:30 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Gary Kline <kline@thought.org> Cc: freebsd-questions@freebsd.org Subject: DNS problems at thought.org [was: Re: lynx failure....] Message-ID: <87bpi3aks5.fsf_-_@kobe.laptop> In-Reply-To: <20091212182115.GB4431@thought.org> (Gary Kline's message of "Sat, 12 Dec 2009 10:21:15 -0800") References: <20091212080949.GA2606@thought.org> <87fx7ga7lw.fsf@kobe.laptop> <20091212182115.GB4431@thought.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 Dec 2009 10:21:15 -0800, Gary Kline <kline@thought.org> wrote:
>On Sat, Dec 12, 2009 at 11:01:47AM +0200, Giorgos Keramidas wrote:
>>On Sat, 12 Dec 2009 00:09:52 -0800, Gary Kline <kline@thought.org> wrote:
>>> Using lynx:
>>>
>>> Looking up www.thought.org
>>> Unable to locate remote host www.thought.org.
>>> Alert!: Unable to connect to remote host.
>>>
>>> Obviously, something is wrong with how my new DBS, mAil, and web
>>> server, ethic, is configurated. Can anybody help me here?
>>
>> Are you sure DNS for the "thought.org" domain works?
>>
>> keramida@kobe:/home/keramida$ host www.thought.org
>> Host www.thought.org not found: 3(NXDOMAIN)
>> keramida@kobe:/home/keramida$
>
> The more I think about it, no, I'm not sure. The guy who set up my
> new DNS was using the named in ports while I was using the one in
> /usr/sbin.
That shouldn't be a problem. Both bind versions should be able to serve
your zone files correctly.
When you see 'weird' DNS errors from one place but they seem to magically
disappear if you perform the same query from another place, it is _very_
often a good indication that there is _somewhere_ a stale SOA record and a
stale copy of your zone files. Tracking down where the stale SOA record is
cached may be a bit of work, but it's definitely doable...
The name servers registered for your domain at `thought.org' are:
: $ host -t ns thought.org 2>&1 | expand | fgrep 'name server' | \
: awk '{print $NF}'
: a.ns.celestial.com.
: ns1.localhostservices.net.
: b.ns.celestial.com.
: d.ns.celestial.com.
: ns2.secondary.com.
: ns1.thought.org.
: c.ns.celestial.com.
: $
The IPv4 addresses of these hosts seem to be:
: $ host -t ns thought.org 2>&1 | expand | fgrep 'name server' | \
: awk '{print $NF}' | \
: while read name ; do \
: addrs=$( host "${name}" 2>&1 | fgrep 'has address' | \
: awk '{print $NF}' | sort ); \
: echo "${name} ${addrs}" ; \
: done | tee thought.org-ns.txt
: a.ns.celestial.com. 192.136.111.41
: ns1.localhostservices.net. 69.55.236.116
: ns1.thought.org. 209.180.213.210
: ns2.secondary.com. 198.133.199.4
: c.ns.celestial.com. 192.136.111.43
: b.ns.celestial.com. 192.136.111.42
: d.ns.celestial.com. 65.255.106.208
: $
So there are seven (7) different name servers that should have the same SOA
record and the same version of your zone file. How many of them *do* have
the same version though?
: keramida@kobe:~$ while read nshost nsip ; do \
: echo "${nshost} [${nsip}] =>" ; \
: dig "@${nsip}" thought.org soa 2>&1 | expand | \
: fgrep ' SOA ' | sed -e 's/.* SOA[ ]*//' ; \
: echo ; \
: done < thought.org-ns.txt
:
: a.ns.celestial.com. [192.136.111.41] =>
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400
:
: ns1.localhostservices.net. [69.55.236.116] =>
: ethic.thought.org. hostmaster.thought.org. 2009120801 10800 3600 604800 38400
:
: ns1.thought.org. [209.180.213.210] =>
: ethic.thought.org. hostmaster.thought.org. 2009120801 10800 3600 604800 38400
:
: ns2.secondary.com. [198.133.199.4] =>
:
: c.ns.celestial.com. [192.136.111.43] =>
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400
:
: b.ns.celestial.com. [192.136.111.42] =>
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400
:
: d.ns.celestial.com. [65.255.106.208] =>
: aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400
:
: keramida@kobe:~$
>From this output you can now see that:
* There is at least one name server in your NS list that does not have a
SOA record at _all_ for your domain (ns2.secondary.com)
* There are four name servers that have stale copy of your zone file from
last year (a.ns.celestial.com, b.ns.celestial.com, c.ns.celestial.com,
and d.ns.celestial.com).
* There are two name servers that appear to have a copy from 2009-12-08
(ns1.thought.org and ns1.localhostservices.net)
Trying to resolve `www.thought.org' through each one of these name servers,
to find the ones that cause some of the DNS queries to fail, shows the
following:
: $ while read nshost nsip ; do \
: echo "${nshost} [${nsip}] =>" ; \
: dig "@${nsip}" www.thought.org a | expand | \
: grep '^www\.thought\.org' ; \
: echo ; \
: done < thought.org-ns.txt
: a.ns.celestial.com. [192.136.111.41] =>
: www.thought.org. 38400 IN CNAME aristotle.thought.org.
:
: ns1.localhostservices.net. [69.55.236.116] =>
: www.thought.org. 38400 IN CNAME ethic.thought.org.
:
: ns1.thought.org. [209.180.213.210] =>
: www.thought.org. 38400 IN CNAME ethic.thought.org.
:
: ns2.secondary.com. [198.133.199.4] =>
:
: c.ns.celestial.com. [192.136.111.43] =>
: www.thought.org. 38400 IN CNAME aristotle.thought.org.
:
: b.ns.celestial.com. [192.136.111.42] =>
: www.thought.org. 38400 IN CNAME aristotle.thought.org.
:
: d.ns.celestial.com. [65.255.106.208] =>
: www.thought.org. 38400 IN CNAME aristotle.thought.org.
:
: $
Trying the same query for "aristotle.thought.org" works for the servers
with the old, stale SOA records (and the zone file from last year), but it
fails for ns1.thought.org and ns1.localhostservices.net:
: $ while read nshost nsip ; do \
: echo "${nshost} [${nsip}] =>" ; \
: dig "@${nsip}" aristotle.thought.org a | expand | \
: grep '^aristotle\.thought\.org' ; \
: echo ; done < thought.org-ns.txt
:
: a.ns.celestial.com. [192.136.111.41] =>
: aristotle.thought.org. 38400 IN A 209.180.213.210
:
: ns1.localhostservices.net. [69.55.236.116] =>
:
: ns1.thought.org. [209.180.213.210] =>
:
: ns2.secondary.com. [198.133.199.4] =>
:
: c.ns.celestial.com. [192.136.111.43] =>
: aristotle.thought.org. 38400 IN A 209.180.213.210
:
: b.ns.celestial.com. [192.136.111.42] =>
: aristotle.thought.org. 38400 IN A 209.180.213.210
:
: d.ns.celestial.com. [65.255.106.208] =>
: aristotle.thought.org. 38400 IN A 209.180.213.210
:
: $
The same query for "ethic.thought.org" reveals yet another problem. Your
name server at ns1.thought.org is not responding to queries:
: $ while read nshost nsip ; do \
: echo "${nshost} [${nsip}] =>" ; \
: dig "@${nsip}" ethic.thought.org a | expand | \
: grep '^ethic\.thought\.org' ; \
: echo ; \
: done < thought.org-ns.txt
:
: a.ns.celestial.com. [192.136.111.41] =>
:
: ns1.localhostservices.net. [69.55.236.116] =>
: ethic.thought.org. 38400 IN A 209.180.213.210
:
: ns1.thought.org. [209.180.213.210] =>
:
: ns2.secondary.com. [198.133.199.4] =>
:
: c.ns.celestial.com. [192.136.111.43] =>
:
: b.ns.celestial.com. [192.136.111.42] =>
:
: d.ns.celestial.com. [65.255.106.208] =>
:
: $
You have some serious DNS issues with your current setup. I think you
should start by:
1) *Removing* from the NS records of your domain the name servers that
are not necessary (the celestial.com ones).
2) *Updating* the NS list of the same domain at the DNS registrar you are
using to use ns1.thought.org and ns1.localhostservices.net.
3) Checking the firewall settings at ns1.thought.org to see why it does
not respond to queries.
The current listing of name servers for thought.org in whois(1) output
points to the name servers of celestial.com. -- the ones with the bogus SOA
record from last year:
: $ whois thought.org
: [...]
: Tech ID:GKG-C00000A6A4
: Tech Name:Gary Kline
: Tech Organization:Thought Unlimited
: [...]
: Tech Email:c7cc9848d2890d50b47f6bc835d93463a88d4a6a@whois.gkg.net
: Name Server:NS1.SECONDARY.COM
: Name Server:NS2.SECONDARY.COM
: Name Server:NS1.THOUGHT.ORG
: Name Server:A.NS.CELESTIAL.COM
: Name Server:B.NS.CELESTIAL.COM
: [...]
When you *do* update the NS listing through your DNS registration service,
point it _only_ at name servers that really have a valid copy of your zone
files and are set up to serve as secondaries. After a while, when the
changes propagate to all the name servers, your domain should work fine
with bind (either the base-system or ports version).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87bpi3aks5.fsf_-_>