Discussion:
dnscache problems
richard lucassen
2010-09-22 07:55:10 UTC
Permalink
hello list,

I get more and more problems using dnscache. I've already started a
thread a few months ago about this issue, and until now I entered the
missing queries to an instance of tinydns, but it seems that this
problem is growing:

dnsqr mx newcastle.edu.au
15 newcastle.edu.au:
timed out

dnsqr mx deloitte.com.au
15 deloitte.com.au:
timed out

While other nameservers give me an answer:

host -t mx deloitte.com.au ns2.kpn.net
Using domain server:
Name: ns2.kpn.net
Address: 194.151.228.58#53
Aliases:

deloitte.com.au mail is handled by 200 deloitte.com.au.s7a2.psmtp.com.
deloitte.com.au mail is handled by 300 deloitte.com.au.s7b1.psmtp.com.
deloitte.com.au mail is handled by 400 deloitte.com.au.s7b2.psmtp.com.
deloitte.com.au mail is handled by 100 deloitte.com.au.s7a1.psmtp.com.

I know it's apparently not a dnscache fault, but the problem is rather
annoying. Customers are complaining and they do not accept that they
have to use gmail or other ways to contact these domains. I think I'm
not the only one with this problem. How do others resolve this issue?
(other options than installing PowerDNS or BIND)

R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
Tobias Reckhard
2010-09-22 08:38:34 UTC
Permalink
Post by richard lucassen
I get more and more problems using dnscache. I've already started a
thread a few months ago about this issue, and until now I entered the
missing queries to an instance of tinydns, but it seems that this
dnsqr mx newcastle.edu.au
timed out
Takes a while here, but the query succeeds;
~$ dnsqr mx newcastle.edu.au
15 newcastle.edu.au:
135 bytes, 1+4+0+0 records, response, noerror
query: 15 newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 reactive.newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 outsource.newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 proactive.newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 synergy.newcastle.edu.au

What do your dnscache logs say?

Your problem is probably cuased by the edu.au servers not providing glue
for the latter two of the NS records they publish for newcastle.edu.au,
these being:

newcastle.edu.au 14400 NS netslave2.cc.monash.edu.au
newcastle.edu.au 14400 NS seagoon.newcastle.edu.au
newcastle.edu.au 14400 NS neddy.newcastle.edu.au

Therefore, an unprimed dnscache needs to make its queries to
netslave2.cc.monash.edu.au, the DNS servers of which the edu.au servers
provide glue for.
Post by richard lucassen
dnsqr mx deloitte.com.au
timed out
Same problem here, the com.au servers provide glue only for one of two
(in-bailiwick) NS records:

~$ dnsq mx deloitte.com.au ns3.ausregistry.net.au
15 deloitte.com.au:
88 bytes, 1+0+2+1 records, response, noerror
query: 15 deloitte.com.au
authority: deloitte.com.au 14400 NS name.deloitte.com.au
authority: deloitte.com.au 14400 NS name2.deloitte.com.au
additional: name.deloitte.com.au 14400 A 134.159.157.13
So does my dnscache.
Post by richard lucassen
I know it's apparently not a dnscache fault, but the problem is rather
annoying. Customers are complaining and they do not accept that they
have to use gmail or other ways to contact these domains. I think I'm
not the only one with this problem. How do others resolve this issue?
(other options than installing PowerDNS or BIND)
The owners of the two domains in question need to complete the data on
the edu.au and com.au servers. It would probably also make sense for the
newcastle.edu.au DNS admins to provide the same set of NS records on
their servers as the edu.au servers do.

Cheers,
Tobias
Daryl Tester
2010-09-22 09:14:58 UTC
Permalink
(* Reply to dev null'd *)
Post by Tobias Reckhard
The owners of the two domains in question need to complete the data on
the edu.au and com.au servers. It would probably also make sense for the
newcastle.edu.au DNS admins to provide the same set of NS records on
their servers as the edu.au servers do.
Perhaps, Richard, when reporting the problem, point them to something like
<http://www.intodns.com/newcastle.edu.au> which may add weight to your
arguments.
--
Regards,
Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
richard lucassen
2010-09-22 10:54:25 UTC
Permalink
On Wed, 22 Sep 2010 18:44:58 +0930
Post by Daryl Tester
Post by Tobias Reckhard
The owners of the two domains in question need to complete the data
on the edu.au and com.au servers. It would probably also make sense
for the newcastle.edu.au DNS admins to provide the same set of NS
records on their servers as the edu.au servers do.
Perhaps, Richard, when reporting the problem, point them to something
like <http://www.intodns.com/newcastle.edu.au> which may add weight
to your arguments.
I didn't know about this site Daryl, thnx!
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
Bgs
2010-09-22 08:54:03 UTC
Permalink
Hi,

Might not even be a dnscache related problem. Have you checked whether
you can reach the other server on network level? Sometimes an old router
with unpatched ECN bug or similar problems prevent you from accessing
something from one place while it works from everywhere else.

For example:

# nmap -sU -P0 name.deloitte.com.au. -p 53

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-22 10:52 CEST
Nmap scan report for name.deloitte.com.au. (134.159.157.13)
Host is up (0.38s latency).
rDNS record for 134.159.157.13: name.deloitte.com.au
PORT STATE SERVICE
53/udp open domain

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

Regards
Bgs
Post by richard lucassen
hello list,
I get more and more problems using dnscache. I've already started a
thread a few months ago about this issue, and until now I entered the
missing queries to an instance of tinydns, but it seems that this
dnsqr mx newcastle.edu.au
timed out
dnsqr mx deloitte.com.au
timed out
host -t mx deloitte.com.au ns2.kpn.net
Name: ns2.kpn.net
Address: 194.151.228.58#53
deloitte.com.au mail is handled by 200 deloitte.com.au.s7a2.psmtp.com.
deloitte.com.au mail is handled by 300 deloitte.com.au.s7b1.psmtp.com.
deloitte.com.au mail is handled by 400 deloitte.com.au.s7b2.psmtp.com.
deloitte.com.au mail is handled by 100 deloitte.com.au.s7a1.psmtp.com.
I know it's apparently not a dnscache fault, but the problem is rather
annoying. Customers are complaining and they do not accept that they
have to use gmail or other ways to contact these domains. I think I'm
not the only one with this problem. How do others resolve this issue?
(other options than installing PowerDNS or BIND)
R.
richard lucassen
2010-09-22 11:46:11 UTC
Permalink
On Wed, 22 Sep 2010 10:54:03 +0200
Post by Bgs
Might not even be a dnscache related problem. Have you checked
whether you can reach the other server on network level? Sometimes an
old router with unpatched ECN bug or similar problems prevent you
from accessing something from one place while it works from
everywhere else.
Well, that isn't the problem. These problems occur too often IMHO and
seems to be DNS-admin related. Dnscache is ok, but customers are
complaining (and they're right)

And while (e.g.) BIND servers are giving an answer to these queries,
dnscache remains silent. I can try to explain why this is happening, but
customers just don't like that it's working elsewhere.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
Daryl Tester
2010-09-22 13:37:34 UTC
Permalink
(* Reply to dev null'd *)
Post by richard lucassen
And while (e.g.) BIND servers are giving an answer to these queries,
dnscache remains silent. I can try to explain why this is happening, but
customers just don't like that it's working elsewhere.
Been down that road, and can fully understand your (and their) position.
--
Regards,
Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
Andy Bradford
2010-09-23 02:33:48 UTC
Permalink
And while (e.g.) BIND servers are giving an answer to these queries,
dnscache remains silent.
By the way, this is not true; at least for these domains. I made the
same queries with a BIND server and it too failed to obtain an answer
for MX newcastle.edu.au on the first try.

Andy
Andy Bradford
2010-09-22 23:19:32 UTC
Permalink
There is no end to incompetence.
Post by richard lucassen
dnsqr mx newcastle.edu.au
timed out
This domain is extremely misconfigured. Have a look at results of an MX
lookup with this DNS checker tool:

http://www.squish.net/dnscheck/

According to this tool 100% of queries will end up failed. 92.5% of them
are due to too may nested queries, and the rest are due to nameserver
loops. Have you notified newcastle.edu.au's hostmaster?
Post by richard lucassen
dnsqr mx deloitte.com.au
timed out
Check this domain with the above mentioned tool as well. Only 50.7% of
the queries will ever result in a successful result. The rest fail due
to nested query problems and nameserver loops. Have you notified
deloitte.com.au's hostmaster?
That doesn't really prove much. Even dnscache eventually gives an answer
for these domains.
Post by richard lucassen
I know it's apparently not a dnscache fault, but the problem is rather
annoying.
It isn't just apparent, it is blatant.

Have you tried contacting these problem domain's owners?

Andy
Daryl Tester
2010-09-23 02:28:36 UTC
Permalink
Post by Andy Bradford
This domain is extremely misconfigured. Have a look at results of an MX
http://www.squish.net/dnscheck/
What other online DNS checkers are people using? In a previous email I
offered <http://www.intodns.com/>, both of which I found after dnsstuff.com
went to a paid model. Any others?
--
Regards,
Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
Lloyd Standish
2010-09-23 14:04:11 UTC
Permalink
Post by Daryl Tester
What other online DNS checkers are people using? In a previous email I
offered <http://www.intodns.com/>, both of which I found after dnsstuff.com
went to a paid model. Any others?
There is also http://www.pingability.com

--
Lloyd
Hauke Lampe
2010-09-23 16:19:24 UTC
Permalink
Post by Daryl Tester
What other online DNS checkers are people using?
Stéphane Bortzmeyer compiled a list of DNS tests:
http://www.bortzmeyer.org/tests-dns.html

Additional tools mentioned in the thread on the dnsops mailing list:
https://lists.dns-oarc.net/pipermail/dns-operations/2010-September/006100.html


Hauke.
Daryl Tester
2010-09-23 21:03:43 UTC
Permalink
Post by Hauke Lampe
Post by Daryl Tester
What other online DNS checkers are people using?
http://www.bortzmeyer.org/tests-dns.html
Nice. Stéphane's recommended checker <http://dnscheck.iis.se/> picked
up that one of my TCP nameservers wasn't working, which IntoDNS didn't.
Thanks - I now have a new favourite toy. :-)

Cheers.
--
Regards,
Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
Andy Bradford
2010-09-24 03:37:04 UTC
Permalink
Nice. Stéphane's recommended checker <http://dnscheck.iis.se/> picked
up that one of my TCP nameservers wasn't working, which IntoDNS
didn't.
This tool gives some strange results for various domains. It even goes
so far as to tell me that cr.yp.to does not exist!

Andy
Daryl Tester
2010-09-24 04:05:24 UTC
Permalink
Post by Andy Bradford
This tool gives some strange results for various domains. It even goes
so far as to tell me that cr.yp.to does not exist!
Isn't that because cr.yp.to is just an A record, and the domain is yp.to?
(to which it gives unsettling results ...).
--
Regards,
Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
Andy Bradford
2010-09-24 04:26:56 UTC
Permalink
This tool gives some strange results for various domains. It even goes
so far as to tell me that cr.yp.to does not exist!
Yes, of course it does not... cr.yp.to is not a domain (per se), but
a host. :-) This tool tests domains. Squishy tests various RRs.
dnscheck.iis.se tests domains. I would try yp.to, but apparently the
tool is either rate limiting me, or it is broken.

Andy
Daryl Tester
2010-09-24 04:37:01 UTC
Permalink
(* Reply to dev null'd *)
Post by Andy Bradford
Yes, of course it does not... cr.yp.to is not a domain (per se), but
a host. :-) This tool tests domains. Squishy tests various RRs.
dnscheck.iis.se tests domains. I would try yp.to, but apparently the
tool is either rate limiting me, or it is broken.
They have a link at the bottom of a completed test - does this work for you?

<http://dnscheck.iis.se/?time=1285300786&id=901926&view=basic&test=standard>
--
Regards,
Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
Bernd Plagge
2010-09-28 01:15:18 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I quite like dnscheck (http://dnscheck.iis.se/).
However, it should be noted that this program does not understand Japanese domains ending in 'ne.jp'. These domains are just not recognized as valid domains.

Cheers,
Bernd

On Fri, 24 Sep 2010 06:33:43 +0930
Post by Hauke Lampe
Post by Daryl Tester
What other online DNS checkers are people using?
http://www.bortzmeyer.org/tests-dns.html
Nice. St$(D+1(Bphane's recommended checker <http://dnscheck.iis.se/> picked
up that one of my TCP nameservers wasn't working, which IntoDNS didn't.
Thanks - I now have a new favourite toy. :-)
Cheers.
--
Regards,
Daryl Tester
"It's bad enough to have two heads, but it's worse when one's unoccupied."
-- Scatterbrain, "I'm with Stupid."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyhQaYACgkQpYU8M8PbPV7P/gCeN0UgHZmZEZ7ZWPoN5OO6O/Lj
NjkAoL1SvmNIJWLOU3eOoiq2F54mzGHU
=8xoF
-----END PG

Loading...