headers
richard lucassen | 22 Sep 2010 09:55
Favicon

dnscache problems

hello list,

I get more and more problems using dnscache. I've already started a
thread a few months ago about this issue, and until now I entered the
missing queries to an instance of tinydns, but it seems that this
problem is growing:

dnsqr mx newcastle.edu.au
15 newcastle.edu.au:
timed out

dnsqr mx deloitte.com.au
15 deloitte.com.au:
timed out

While other nameservers give me an answer:

host -t mx deloitte.com.au ns2.kpn.net
Using domain server:
Name: ns2.kpn.net
Address: 194.151.228.58#53
Aliases: 

deloitte.com.au mail is handled by 200 deloitte.com.au.s7a2.psmtp.com.
deloitte.com.au mail is handled by 300 deloitte.com.au.s7b1.psmtp.com.
deloitte.com.au mail is handled by 400 deloitte.com.au.s7b2.psmtp.com.
deloitte.com.au mail is handled by 100 deloitte.com.au.s7a1.psmtp.com.

I know it's apparently not a dnscache fault, but the problem is rather
annoying. Customers are complaining and they do not accept that they
(Continue reading)

Permalink | Reply |
headers
Tobias Reckhard | 22 Sep 2010 10:38
Favicon

Re: dnscache problems

richard lucassen wrote the following on 22.09.2010 09:55:
> I get more and more problems using dnscache. I've already started a
> thread a few months ago about this issue, and until now I entered the
> missing queries to an instance of tinydns, but it seems that this
> problem is growing:
> 
> dnsqr mx newcastle.edu.au
> 15 newcastle.edu.au:
> timed out

Takes a while here, but the query succeeds;
~$ dnsqr mx newcastle.edu.au
15 newcastle.edu.au:
135 bytes, 1+4+0+0 records, response, noerror
query: 15 newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 reactive.newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 outsource.newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 proactive.newcastle.edu.au
answer: newcastle.edu.au 43200 MX 10 synergy.newcastle.edu.au

What do your dnscache logs say?

Your problem is probably cuased by the edu.au servers not providing glue
for the latter two of the NS records they publish for newcastle.edu.au,
these being:

newcastle.edu.au 14400 NS netslave2.cc.monash.edu.au
newcastle.edu.au 14400 NS seagoon.newcastle.edu.au
newcastle.edu.au 14400 NS neddy.newcastle.edu.au
(Continue reading)

Permalink | Reply |
headers
Daryl Tester | 22 Sep 2010 11:14
Picon

Re: dnscache problems

(* Reply to dev null'd *)

Tobias Reckhard wrote:

> The owners of the two domains in question need to complete the data on
> the edu.au and com.au servers. It would probably also make sense for the
> newcastle.edu.au DNS admins to provide the same set of NS records on
> their servers as the edu.au servers do.

Perhaps, Richard, when reporting the problem, point them to something like
<http://www.intodns.com/newcastle.edu.au> which may add weight to your
arguments.

--

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."
Permalink | Reply |
headers
richard lucassen | 22 Sep 2010 12:54
Favicon

Re: dnscache problems

On Wed, 22 Sep 2010 18:44:58 +0930
Daryl Tester <dt-djb <at> handcraftedcomputers.com.au> wrote:

> > The owners of the two domains in question need to complete the data
> > on the edu.au and com.au servers. It would probably also make sense
> > for the newcastle.edu.au DNS admins to provide the same set of NS
> > records on their servers as the edu.au servers do.
> 
> Perhaps, Richard, when reporting the problem, point them to something
> like <http://www.intodns.com/newcastle.edu.au> which may add weight
> to your arguments.

I didn't know about this site Daryl, thnx!

--

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+
Permalink | Reply |
headers
Bgs | 22 Sep 2010 10:54
Picon

Re: dnscache problems


  Hi,

Might not even be a dnscache related problem. Have you checked whether 
you can reach the other server on network level? Sometimes an old router 
with unpatched ECN bug or similar problems prevent you from accessing 
something from one place while it works from everywhere else.

For example:

# nmap -sU -P0 name.deloitte.com.au. -p 53

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-22 10:52 CEST
Nmap scan report for name.deloitte.com.au. (134.159.157.13)
Host is up (0.38s latency).
rDNS record for 134.159.157.13: name.deloitte.com.au
PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

Regards
Bgs

On 09/22/2010 09:55 AM, richard lucassen wrote:
> hello list,
>
> I get more and more problems using dnscache. I've already started a
> thread a few months ago about this issue, and until now I entered the
> missing queries to an instance of tinydns, but it seems that this
(Continue reading)

Permalink | Reply |
headers
richard lucassen | 22 Sep 2010 13:46
Favicon

Re: dnscache problems

On Wed, 22 Sep 2010 10:54:03 +0200
Bgs <bgs <at> bgs.hu> wrote:

> Might not even be a dnscache related problem. Have you checked
> whether you can reach the other server on network level? Sometimes an
> old router with unpatched ECN bug or similar problems prevent you
> from accessing something from one place while it works from
> everywhere else.

Well, that isn't the problem. These problems occur too often IMHO and
seems to be DNS-admin related. Dnscache is ok, but customers are
complaining (and they're right)

And while (e.g.) BIND servers are giving an answer to these queries,
dnscache remains silent. I can try to explain why this is happening, but
customers just don't like that it's working elsewhere.

--

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+
Permalink | Reply |
headers
Daryl Tester | 22 Sep 2010 15:37
Picon

Re: dnscache problems

(* Reply to dev null'd *)

richard lucassen wrote:

> And while (e.g.) BIND servers are giving an answer to these queries,
> dnscache remains silent. I can try to explain why this is happening, but
> customers just don't like that it's working elsewhere.

Been down that road, and can fully understand your (and their) position.

--

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."
Permalink | Reply |
headers
Andy Bradford | 23 Sep 2010 04:33

Re: dnscache problems

Thus said richard lucassen on Wed, 22 Sep 2010 13:46:11 +0200:

> And while (e.g.)  BIND servers are giving an answer  to these queries,
> dnscache remains silent.

By the  way, this is not  true; at least  for these domains. I  made the
same queries with  a BIND server and  it too failed to  obtain an answer
for MX newcastle.edu.au on the first try.

Andy
Permalink | Reply |
headers
Andy Bradford | 23 Sep 2010 01:19

Re: dnscache problems

Thus said richard lucassen on Wed, 22 Sep 2010 09:55:10 +0200:

> ... but it seems that this problem is growing:

There is no end to incompetence.

> dnsqr mx newcastle.edu.au
> 15 newcastle.edu.au:
> timed out

This domain is extremely misconfigured. Have  a look at results of an MX
lookup with this DNS checker tool:

http://www.squish.net/dnscheck/

According to this tool 100% of queries will end up failed. 92.5% of them
are due to  too may nested queries,  and the rest are  due to nameserver
loops. Have you notified newcastle.edu.au's hostmaster?

> dnsqr mx deloitte.com.au
> 15 deloitte.com.au:
> timed out

Check this domain  with the above mentioned tool as  well. Only 50.7% of
the queries will  ever result in a successful result.  The rest fail due
to  nested  query  problems  and nameserver  loops.  Have  you  notified
deloitte.com.au's hostmaster?

> While other nameservers give me an answer:
(Continue reading)

Permalink | Reply |
headers
Daryl Tester | 23 Sep 2010 04:28
Picon

DNS checkers - was: dnscache problems

Andy Bradford wrote:

> This domain is extremely misconfigured. Have  a look at results of an MX
> lookup with this DNS checker tool:
> 
> http://www.squish.net/dnscheck/

What other online DNS checkers are people using?  In a previous email I
offered <http://www.intodns.com/>, both of which I found after dnsstuff.com
went to a paid model.  Any others?

--

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."
Permalink | Reply |
headers
Lloyd Standish | 23 Sep 2010 16:04

Re: DNS checkers - was: dnscache problems

>
> What other online DNS checkers are people using?  In a previous email I
> offered <http://www.intodns.com/>, both of which I found after dnsstuff.com
> went to a paid model.  Any others?
>
>

There is also http://www.pingability.com

--
Lloyd
Permalink | Reply |
headers
Hauke Lampe | 23 Sep 2010 18:19
Picon

Re: DNS checkers - was: dnscache problems


On 23.09.2010 04:28, Daryl Tester wrote:

> What other online DNS checkers are people using?  

Stéphane Bortzmeyer compiled a list of DNS tests:
http://www.bortzmeyer.org/tests-dns.html

Additional tools mentioned in the thread on the dnsops mailing list:
https://lists.dns-oarc.net/pipermail/dns-operations/2010-September/006100.html

Hauke.
Permalink | Reply |
headers
Daryl Tester | 23 Sep 2010 23:03
Picon

Re: DNS checkers - was: dnscache problems

Hauke Lampe wrote:

> On 23.09.2010 04:28, Daryl Tester wrote:

>> What other online DNS checkers are people using?  

> Stéphane Bortzmeyer compiled a list of DNS tests:
> http://www.bortzmeyer.org/tests-dns.html

Nice.  Stéphane's recommended checker <http://dnscheck.iis.se/> picked
up that one of my TCP nameservers wasn't working, which IntoDNS didn't.
Thanks - I now have a new favourite toy.  :-)

Cheers.

--

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."
Permalink | Reply |
headers
Andy Bradford | 24 Sep 2010 05:37

Re: DNS checkers - was: dnscache problems

Thus said Daryl Tester on Fri, 24 Sep 2010 06:33:43 +0930:

> Nice. Stéphane's recommended  checker <http://dnscheck.iis.se/> picked
> up  that one  of  my  TCP nameservers  wasn't  working, which  IntoDNS
> didn't.

This tool gives  some strange results for various domains.  It even goes
so far as to tell me that cr.yp.to does not exist!

Andy
Permalink | Reply |
headers
Daryl Tester | 24 Sep 2010 06:05
Picon

Re: DNS checkers - was: dnscache problems

Andy Bradford wrote:

> This tool gives  some strange results for various domains.  It even goes
> so far as to tell me that cr.yp.to does not exist!

Isn't that because cr.yp.to is just an A record, and the domain is yp.to?
(to which it gives unsettling results ...).

--

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."
Permalink | Reply |
headers
Andy Bradford | 24 Sep 2010 06:26

Re: DNS checkers - was: dnscache problems

Thus said "Andy Bradford" on 23 Sep 2010 21:37:04 MDT:

> This tool gives some strange results for various domains. It even goes
> so far as to tell me that cr.yp.to does not exist!

Yes, of  course it does  not... cr.yp.to is not  a domain (per  se), but
a  host.  :-)  This  tool  tests domains.  Squishy  tests  various  RRs.
dnscheck.iis.se tests  domains. I  would try  yp.to, but  apparently the
tool is either rate limiting me, or it is broken.

Andy
Permalink | Reply |
headers
Daryl Tester | 24 Sep 2010 06:37
Picon

Re: DNS checkers - was: dnscache problems

(* Reply to dev null'd *)

Andy Bradford wrote:

> Yes, of  course it does  not... cr.yp.to is not  a domain (per  se), but
> a  host.  :-)  This  tool  tests domains.  Squishy  tests  various  RRs.
> dnscheck.iis.se tests  domains. I  would try  yp.to, but  apparently the
> tool is either rate limiting me, or it is broken.

They have a link at the bottom of a completed test - does this work for you?

<http://dnscheck.iis.se/?time=1285300786&id=901926&view=basic&test=standard>

--

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."
Permalink | Reply |
headers
Bernd Plagge | 28 Sep 2010 03:15
Picon
Favicon

Re: DNS checkers - was: dnscache problems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I quite like dnscheck (http://dnscheck.iis.se/).

However, it should be noted that this program does not understand Japanese domains ending in 'ne.jp'.
These domains are just not recognized as valid domains.

Cheers,
Bernd

On Fri, 24 Sep 2010 06:33:43 +0930
Daryl Tester <dt-djb <at> handcraftedcomputers.com.au> wrote:

> Hauke Lampe wrote:
> 
> > On 23.09.2010 04:28, Daryl Tester wrote:
> 
> >> What other online DNS checkers are people using?  
> 
> > St$(D+1phane Bortzmeyer compiled a list of DNS tests:
> > http://www.bortzmeyer.org/tests-dns.html

> 
> Nice.  St$(D+1phane's recommended checker <http://dnscheck.iis.se/> picked
> up that one of my TCP nameservers wasn't working, which IntoDNS didn't.
> Thanks - I now have a new favourite toy.  :-)
> 
> Cheers.
> 
> -- 
> Regards,
(Continue reading)

Permalink | Reply |

Gmane