Linode Forum :: dhcp'd nameservers not resolving remote domain

Linode Forum https://forum.linode.com/

dhcp'd nameservers not resolving remote domain https://forum.linode.com/viewtopic.php?f=19&t=7362	Page 1 of 1

Author:

pbuckner [ Wed Jul 06, 2011 1:39 am ]

Post subject:

dhcp'd nameservers not resolving remote domain

every few days, for a few hours at time, my node's unable to resolve dns lookup for 'www.hpc.ncep.noaa.gov'... I get temporary failure. That site's been around for years and four other (non-Linode) servers I have resolve without problems. (it failed for a hour late July 2nd, and it's been failing for four hours right now...)

I suspect the nameservers I'm getting via DHCP (74.207.242.5, 74.207.241.5) can resolve most sites, but fails for the above domain... why intermittently?

Code:

$ dig www.hpc.ncep.noaa.gov
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32906

yet using google's dns succeeds:

Code:

$ dig www.hpc.ncep.noaa.gov @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51063
;; ANSWER SECTION:
www.hpc.ncep.noaa.gov.   86185   IN   CNAME   edge-nws.woc.noaa.gov.
edge-nws.woc.noaa.gov.   85   IN   CNAME   edge-rev.lb.noaa.gov.
edge-rev.lb.noaa.gov.   28   IN   A   140.172.17.23
edge-rev.lb.noaa.gov.   28   IN   A   129.15.96.23
edge-rev.lb.noaa.gov.   28   IN   A   140.90.33.23
edge-rev.lb.noaa.gov.   28   IN   A   140.90.200.23

I suppose I could resort to hard-coded nameservers, but I'm not sure how to do that without resorting to fully static interface definition & I'd prefer to have the Linode nameservers work.

Thoughts?

I'm new to Linode.com -- are their nameservers generally this bad?[/u]

--
- Peter

Author:	vonskippy [ Wed Jul 06, 2011 2:32 am ]
Post subject:
Edit /etc/dhcp3/dhclient.conf Code: supersede domain-name-servers 8.8.8.8, 8.8.4.4; There's plenty of good trouble free nameservers in the world, use which ever ones work best for you.

Author:	jgc [ Wed Jul 06, 2011 5:32 am ]
Post subject:
I have the same problem with ftp.ncep.noaa.gov It is the first time I have noticed the failure. I wonder if you've found a good solution. vonskippy, I couldn't locate /etc/dhcp3/dhclient.conf so I modified /etc/resolv.conf to add nameserver 8.8.8.8 nameserver 8.8.4.4 It seems to be working fine now. Hoverver, I've just seen that /etc/resolv.conf is generated by a script Code: $ cat /etc/resolv.conf ; generated by /sbin/dhclient-script search members.linode.com nameserver 8.8.8.8 nameserver 8.8.4.4 Will that be modified without warning?, is there a way of preventing further modifications? Thanks

Author:	hoopycat [ Wed Jul 06, 2011 8:00 am ]
Post subject:
It might be worth opening a ticket so the Linode folks can take a look at it and perhaps fix it...

Author:

pbuckner [ Wed Jul 06, 2011 11:04 am ]

Post subject:

(the nameservers are working at the moment, so it's difficult to debug. I've also opened a ticket with Linode.)

I note that google's NS 8.8.8.8 doesn't return an "AUTHORITY SECTION" in response to dig, but linode's response does:

Code:

$ dig  ftp.ncep.noaa.gov

; <<>> DiG 9.7.3 <<>> ftp.ncep.noaa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45006
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.ncep.noaa.gov.      IN   A

;; ANSWER SECTION:
ftp.ncep.noaa.gov.   19105   IN   CNAME   ftp-ftpprd-woc.lb.noaa.gov.
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.41
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.31

;; AUTHORITY SECTION:
lb.noaa.gov.      86400   IN   NS   ns-e.noaa.gov.
lb.noaa.gov.      86400   IN   NS   ns-nw.noaa.gov.
lb.noaa.gov.      86400   IN   NS   ns-mw.noaa.gov.

;; Query time: 97 msec
;; SERVER: 74.207.242.5#53(74.207.242.5)
;; WHEN: Wed Jul  6 07:45:38 2011
;; MSG SIZE  rcvd: 158

Google's the same, but without AUTHORITY:

Code:

$ dig  @8.8.8.8 ftp.ncep.noaa.gov

; <<>> DiG 9.7.3 <<>> @8.8.8.8 ftp.ncep.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30640
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.ncep.noaa.gov.      IN   A

;; ANSWER SECTION:
ftp.ncep.noaa.gov.   69660   IN   CNAME   ftp-ftpprd-woc.lb.noaa.gov.
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.41
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.31

;; Query time: 98 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul  6 07:49:17 2011
;; MSG SIZE  rcvd: 99

Note sure if that means anything, but it's a difference!

-Peter

Author:	pbuckner [ Wed Jul 06, 2011 4:23 pm ]
Post subject:
Support suggests the problem is with DNSSEC issues on .gov domains (i.e., some .gov domain's configuration isn't fully correct). Other resolvers, which don't verify the DNSSEC signatures won't see the name resolution problem. Will continue to monitor.

Author:	jgc [ Thu Jul 07, 2011 6:10 am ]
Post subject:
Thanks for following it up. j.

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/