Nameserver Problem Revisited -
Bob Goodwin - W2BOD
bobgoodwin at wildblue.net
Sat Apr 7 16:20:46 UTC 2007
Bob Goodwin - W2BOD wrote:
> Tim wrote:
>> On Sat, 2007-04-07 at 10:42 -0400, Bob Goodwin - W2BOD wrote:
>>> This scheme worked nicely until this morning!
>>
>> [giving null DNS answers, locally]
>>
>>> Suddenly things have returned to the earlier state where the browser
>>> downloads each ad again, requiring about a minute to bring up a news
>>> article instead of the few seconds that were required after making the
>>> suggested changes to /var/named/chroot/etc/blocked.conf and dead.zone,
>>> etc.
>>
>> Well, no changes should have been made to the dead.zone, it was
>> perfectly fine as it was originally provided. But as long as the serial
>> number is set higher than previously used, that won't matter.
>
> The serial number was left at and still is 200 after the discussion
> the other day.
>
>>
>> The thing that springs to mind is for you to check whether
>> your /etc/resolv.conf file has been changed by any dynamic processes.
>> You'll need to have your special DNS server configured as the first one
>> to use, for this to work.
> cat /etc/resolv.conf
>
> nameserver 127.0.0.1
> nameserver 208.67.222.222 #Open DNS
> nameserver 208.67.220.220 #Open DNS
> nameserver 12.189.32.61 #ISP provided DNS
>>
>> You can test how your server responds to queries with the dig command.
>> You'd dig a domain name, and see the answers, and the address of the
>> server that answered.
> It looks like something is wrong with the local name caching? After
> several repetitions to cnn.com, should be a few milliseconds.:
>
> ....... snip ......
>
> cnn.com. 89 IN A 64.236.24.12
> ;; Query time: 2224 msec
> ;; SERVER: 208.67.222.222#53(208.67.222.222)
> ;; WHEN: Sat Apr 7 11:55:32 2007
> ;; MSG SIZE rcvd: 137
>>
>> e.g. dig a.blocked.domain.example.com
>>
>> You can also query a specific server, ignoring whatever's configured to
>> be used in the resolv.conf file, by adding extra parameters (write the
>> DNS server address to be queired after an @ sign).
>>
>> e.g. dig a.blocked.domain.example.com @127.0.0.1
> It looks like this is working?
>
> dig @anrtx.tacoda.net
>
> ; <<>> DiG 9.3.4 <<>> @anrtx.tacoda.net
> ; (1 server found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
> Now I am confused?
>
> Bob Goodwin
>
>
>
dig @example.com does not appear to be a valid request? If I drop the
"@" I get:
dig anrtx.tacoda.net
; <<>> DiG 9.3.4 <<>> anrtx.tacoda.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41990
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;anrtx.tacoda.net. IN A
;; ANSWER SECTION:
anrtx.tacoda.net. 85351 IN CNAME anrtx.gslb.tacoda.net.
anrtx.gslb.tacoda.net. 256 IN A 209.50.189.200
;; Query time: 1141 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Apr 7 12:16:52 2007
;; MSG SIZE rcvd: 75
It appears the local name caching is not working though since the times
are all very long.
Bob Goodwin
More information about the fedora-list
mailing list