Hi,
I red the postings on the djbns mailinglist:
http://marc.theaimsgroup.com/?l=djbdns&m=110478767318024&w=2I did some testing to get to the bottom of this as good as I can.
When I do a dig as.nu.nl on my server with dnscache the query is as follows:
Domain Name System (query)
Transaction ID: 0x81b0
Flags: 0x0100 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
the answer is as follows:
Internet Protocol, Src Addr: 62.69.162.131 (62.69.162.131), Dst Addr: 62.216.12.164 (62.216.12.164)
User Datagram Protocol, Src Port: domain (53), Dst Port: 30462 (30462)
Domain Name System (response)
Transaction ID: 0x81b0
Flags: 0x8185 (Standard query response, Refused)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... .... 0101 = Reply code: Refused (5)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
If I do an dns query by dig@62.69.162.131 as.nu.nl I only get an answer when I do +norecurs.
In the dump I see that the only bit set different is the recursive bit. So this makes the difference.
When I did the same on a server with bind, it allways sets the norecursive bit off.
11:48:46.525977 216.145.223.225.64960 > 128.63.2.53.53: 58855 [1au] A?
as.nu.nl. (37)
11:48:46.635677 128.63.2.53.53 > 217.149.223.225.64960: 58855- 0/7/10
(375) (DF)
11:48:46.636665 217.149.223.225.64960 > 192.36.144.116.53: 59936 [1au] A?
as.nu.nl. (37)
11:48:46.683251 192.36.144.116.53 > 217.149.223.225.64960: 59936- 0/3/4
(139) (DF)
11:48:46.683645 217.149.223.225.64960 > 62.69.162.130.53: 221 [1au] A?
as.nu.nl. (37)
11:48:46.697885 62.69.162.130.53 > 217.149.223.225.64960: 221* 1/0/1
CNAME falk.speedera.net. (68)
11:48:46.698206 217.149.223.225.64960 > 192.203.230.10.53: 16046 [1au] A?
falk.speedera.net. (46)
11:48:46.871986 192.203.230.10.53 > 217.149.223.225.64960: 16046- 0/13/16
(531)
11:48:46.874029 217.149.223.225.64960 > 192.54.112.30.53: 50275 [1au] A?
falk.speedera.net. (46)
11:48:46.977148 192.54.112.30.53 > 217.149.223.225.64960: 50275 FormErr-
[0q] 0/0/0 (12) (DF)
11:48:46.977270 217.149.223.225.64960 > 192.54.112.30.53: 50275 A?
falk.speedera.net. (35)
11:48:47.085167 192.54.112.30.53 > 217.149.223.225.64960: 50275- 0/7/7
(259) (DF)
11:48:47.086064 214.145.223.225.64960 > 212.187.170.30.53: 6156 [1au] A?
falk.speedera.net. (46)
This seems to be not the case with my e-smith dnscache implementation.
From the djbdns maildiscussion I do not get a clear picture as what is going on. Could it be that some environment variable is set wrong?
To set the FORWARDONLY environment variable for dnscache:
echo 1 > /service/dnscache/env/FORWARDONLY
My forwardonly is set on 0, so that is normal I think.
However, my dump also shows nicely that the dnscache server tries 14 times as.nu.nl and gets 12 times refused. It cycles through all three dns servers for nu.nl.
To show that the problem is not academic amnd happens more:
[root@idsnew dnscache]# egrep fail * | wc -l
161
egrep fail * | awk '{print $2 " " $3}' | sort | uniq -c
1 servfail 1.1.168.192.in-addr.arpa.
1 servfail 119.56.121.195.in-addr.arpa.
2 servfail 123.220.42.64.in-addr.arpa.
2 servfail 130.21.252.211.in-addr.arpa.
3 servfail 141.22.173.61.in-addr.arpa.
2 servfail 142.122.208.208.in-addr.arpa.
1 servfail 146.144.214.214.209.in-addr.arpa.
2 servfail 151.22.174.82.in-addr.arpa.
1 servfail 165.159.181.67.in-addr.arpa.
3 servfail 183.23.173.61.in-addr.arpa.
2 servfail 19.200.254.65.in-addr.arpa.
2 servfail 203.88.34.207.in-addr.arpa.
1 servfail 233.190.116.83.in-addr.arpa.
1 servfail 234.1.168.192.in-addr.arpa.
1 servfail 24.13.60.68.in-addr.arpa.
2 servfail 24.23.174.82.in-addr.arpa.
2 servfail 2.56.196.81.in-addr.arpa.
2 servfail 29.67.174.82.in-addr.arpa.
2 servfail 36.189.236.205.in-addr.arpa.
2 servfail 49.218.234.216.in-addr.arpa.
1 servfail 61.190.118.83.in-addr.arpa.
4 servfail 70.222.98.61.in-addr.arpa.
2 servfail 77.22.174.82.in-addr.arpa.
1 servfail 83.130.117.83.in-addr.arpa.
2 servfail 89.48.100.66.in-addr.arpa.
6 servfail as.nu.nl.
15 servfail ds.serving-sys.com.
1 servfail ns.telepac.pt.
20 servfail
www.fs.fed.us.
5 servfail
www.home-klimat.info.
1 servfail
www.regsoft.net.
5 servfail
www.uvlagnitel.info.
20 servfail
www.webvragenlijst.nl.
5 servfail
www.woonactueel.nl.
greetings
Hans-Cees