From owner-freebsd-questions@FreeBSD.ORG Sat Dec 12 22:29:35 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D52E3106568F for ; Sat, 12 Dec 2009 22:29:35 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from poseidon.ceid.upatras.gr (poseidon.ceid.upatras.gr [150.140.141.169]) by mx1.freebsd.org (Postfix) with ESMTP id 394D08FC16 for ; Sat, 12 Dec 2009 22:29:35 +0000 (UTC) Received: from mail.ceid.upatras.gr (unknown [10.1.0.143]) by poseidon.ceid.upatras.gr (Postfix) with ESMTP id D9B19EB4784; Sun, 13 Dec 2009 00:29:33 +0200 (EET) Received: from localhost (europa.ceid.upatras.gr [127.0.0.1]) by mail.ceid.upatras.gr (Postfix) with ESMTP id C6BBC452FB; Sun, 13 Dec 2009 00:29:33 +0200 (EET) X-Virus-Scanned: amavisd-new at ceid.upatras.gr Received: from mail.ceid.upatras.gr ([127.0.0.1]) by localhost (europa.ceid.upatras.gr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjTKzrQmqCEF; Sun, 13 Dec 2009 00:29:33 +0200 (EET) Received: from kobe.laptop (ppp-94-64-203-39.home.otenet.gr [94.64.203.39]) by mail.ceid.upatras.gr (Postfix) with ESMTP id 475BE451B2; Sun, 13 Dec 2009 00:29:33 +0200 (EET) Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.3/8.14.3) with ESMTP id nBCMTVWO007563 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 13 Dec 2009 00:29:32 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.14.3/8.14.3/Submit) id nBCMTU3a007560; Sun, 13 Dec 2009 00:29:30 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) From: Giorgos Keramidas To: Gary Kline References: <20091212080949.GA2606@thought.org> <87fx7ga7lw.fsf@kobe.laptop> <20091212182115.GB4431@thought.org> Date: Sun, 13 Dec 2009 00:29:30 +0200 In-Reply-To: <20091212182115.GB4431@thought.org> (Gary Kline's message of "Sat, 12 Dec 2009 10:21:15 -0800") Message-ID: <87bpi3aks5.fsf_-_@kobe.laptop> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.90 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: DNS problems at thought.org [was: Re: lynx failure....] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 22:29:35 -0000 On Sat, 12 Dec 2009 10:21:15 -0800, Gary Kline wrote: >On Sat, Dec 12, 2009 at 11:01:47AM +0200, Giorgos Keramidas wrote: >>On Sat, 12 Dec 2009 00:09:52 -0800, Gary Kline wrote: >>> Using lynx: >>> >>> Looking up www.thought.org >>> Unable to locate remote host www.thought.org. >>> Alert!: Unable to connect to remote host. >>> >>> Obviously, something is wrong with how my new DBS, mAil, and web >>> server, ethic, is configurated. Can anybody help me here? >> >> Are you sure DNS for the "thought.org" domain works? >> >> keramida@kobe:/home/keramida$ host www.thought.org >> Host www.thought.org not found: 3(NXDOMAIN) >> keramida@kobe:/home/keramida$ > > The more I think about it, no, I'm not sure. The guy who set up my > new DNS was using the named in ports while I was using the one in > /usr/sbin. That shouldn't be a problem. Both bind versions should be able to serve your zone files correctly. When you see 'weird' DNS errors from one place but they seem to magically disappear if you perform the same query from another place, it is _very_ often a good indication that there is _somewhere_ a stale SOA record and a stale copy of your zone files. Tracking down where the stale SOA record is cached may be a bit of work, but it's definitely doable... The name servers registered for your domain at `thought.org' are: : $ host -t ns thought.org 2>&1 | expand | fgrep 'name server' | \ : awk '{print $NF}' : a.ns.celestial.com. : ns1.localhostservices.net. : b.ns.celestial.com. : d.ns.celestial.com. : ns2.secondary.com. : ns1.thought.org. : c.ns.celestial.com. : $ The IPv4 addresses of these hosts seem to be: : $ host -t ns thought.org 2>&1 | expand | fgrep 'name server' | \ : awk '{print $NF}' | \ : while read name ; do \ : addrs=$( host "${name}" 2>&1 | fgrep 'has address' | \ : awk '{print $NF}' | sort ); \ : echo "${name} ${addrs}" ; \ : done | tee thought.org-ns.txt : a.ns.celestial.com. 192.136.111.41 : ns1.localhostservices.net. 69.55.236.116 : ns1.thought.org. 209.180.213.210 : ns2.secondary.com. 198.133.199.4 : c.ns.celestial.com. 192.136.111.43 : b.ns.celestial.com. 192.136.111.42 : d.ns.celestial.com. 65.255.106.208 : $ So there are seven (7) different name servers that should have the same SOA record and the same version of your zone file. How many of them *do* have the same version though? : keramida@kobe:~$ while read nshost nsip ; do \ : echo "${nshost} [${nsip}] =>" ; \ : dig "@${nsip}" thought.org soa 2>&1 | expand | \ : fgrep ' SOA ' | sed -e 's/.* SOA[ ]*//' ; \ : echo ; \ : done < thought.org-ns.txt : : a.ns.celestial.com. [192.136.111.41] => : aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400 : : ns1.localhostservices.net. [69.55.236.116] => : ethic.thought.org. hostmaster.thought.org. 2009120801 10800 3600 604800 38400 : : ns1.thought.org. [209.180.213.210] => : ethic.thought.org. hostmaster.thought.org. 2009120801 10800 3600 604800 38400 : : ns2.secondary.com. [198.133.199.4] => : : c.ns.celestial.com. [192.136.111.43] => : aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400 : : b.ns.celestial.com. [192.136.111.42] => : aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400 : : d.ns.celestial.com. [65.255.106.208] => : aristotle.thought.org. hostmaster.thought.org. 2008121902 10800 3600 604800 38400 : : keramida@kobe:~$ >From this output you can now see that: * There is at least one name server in your NS list that does not have a SOA record at _all_ for your domain (ns2.secondary.com) * There are four name servers that have stale copy of your zone file from last year (a.ns.celestial.com, b.ns.celestial.com, c.ns.celestial.com, and d.ns.celestial.com). * There are two name servers that appear to have a copy from 2009-12-08 (ns1.thought.org and ns1.localhostservices.net) Trying to resolve `www.thought.org' through each one of these name servers, to find the ones that cause some of the DNS queries to fail, shows the following: : $ while read nshost nsip ; do \ : echo "${nshost} [${nsip}] =>" ; \ : dig "@${nsip}" www.thought.org a | expand | \ : grep '^www\.thought\.org' ; \ : echo ; \ : done < thought.org-ns.txt : a.ns.celestial.com. [192.136.111.41] => : www.thought.org. 38400 IN CNAME aristotle.thought.org. : : ns1.localhostservices.net. [69.55.236.116] => : www.thought.org. 38400 IN CNAME ethic.thought.org. : : ns1.thought.org. [209.180.213.210] => : www.thought.org. 38400 IN CNAME ethic.thought.org. : : ns2.secondary.com. [198.133.199.4] => : : c.ns.celestial.com. [192.136.111.43] => : www.thought.org. 38400 IN CNAME aristotle.thought.org. : : b.ns.celestial.com. [192.136.111.42] => : www.thought.org. 38400 IN CNAME aristotle.thought.org. : : d.ns.celestial.com. [65.255.106.208] => : www.thought.org. 38400 IN CNAME aristotle.thought.org. : : $ Trying the same query for "aristotle.thought.org" works for the servers with the old, stale SOA records (and the zone file from last year), but it fails for ns1.thought.org and ns1.localhostservices.net: : $ while read nshost nsip ; do \ : echo "${nshost} [${nsip}] =>" ; \ : dig "@${nsip}" aristotle.thought.org a | expand | \ : grep '^aristotle\.thought\.org' ; \ : echo ; done < thought.org-ns.txt : : a.ns.celestial.com. [192.136.111.41] => : aristotle.thought.org. 38400 IN A 209.180.213.210 : : ns1.localhostservices.net. [69.55.236.116] => : : ns1.thought.org. [209.180.213.210] => : : ns2.secondary.com. [198.133.199.4] => : : c.ns.celestial.com. [192.136.111.43] => : aristotle.thought.org. 38400 IN A 209.180.213.210 : : b.ns.celestial.com. [192.136.111.42] => : aristotle.thought.org. 38400 IN A 209.180.213.210 : : d.ns.celestial.com. [65.255.106.208] => : aristotle.thought.org. 38400 IN A 209.180.213.210 : : $ The same query for "ethic.thought.org" reveals yet another problem. Your name server at ns1.thought.org is not responding to queries: : $ while read nshost nsip ; do \ : echo "${nshost} [${nsip}] =>" ; \ : dig "@${nsip}" ethic.thought.org a | expand | \ : grep '^ethic\.thought\.org' ; \ : echo ; \ : done < thought.org-ns.txt : : a.ns.celestial.com. [192.136.111.41] => : : ns1.localhostservices.net. [69.55.236.116] => : ethic.thought.org. 38400 IN A 209.180.213.210 : : ns1.thought.org. [209.180.213.210] => : : ns2.secondary.com. [198.133.199.4] => : : c.ns.celestial.com. [192.136.111.43] => : : b.ns.celestial.com. [192.136.111.42] => : : d.ns.celestial.com. [65.255.106.208] => : : $ You have some serious DNS issues with your current setup. I think you should start by: 1) *Removing* from the NS records of your domain the name servers that are not necessary (the celestial.com ones). 2) *Updating* the NS list of the same domain at the DNS registrar you are using to use ns1.thought.org and ns1.localhostservices.net. 3) Checking the firewall settings at ns1.thought.org to see why it does not respond to queries. The current listing of name servers for thought.org in whois(1) output points to the name servers of celestial.com. -- the ones with the bogus SOA record from last year: : $ whois thought.org : [...] : Tech ID:GKG-C00000A6A4 : Tech Name:Gary Kline : Tech Organization:Thought Unlimited : [...] : Tech Email:c7cc9848d2890d50b47f6bc835d93463a88d4a6a@whois.gkg.net : Name Server:NS1.SECONDARY.COM : Name Server:NS2.SECONDARY.COM : Name Server:NS1.THOUGHT.ORG : Name Server:A.NS.CELESTIAL.COM : Name Server:B.NS.CELESTIAL.COM : [...] When you *do* update the NS listing through your DNS registration service, point it _only_ at name servers that really have a valid copy of your zone files and are set up to serve as secondaries. After a while, when the changes propagate to all the name servers, your domain should work fine with bind (either the base-system or ports version).