every few days, for a few hours at time, my node's unable to resolve dns lookup for 'www.hpc.ncep.noaa.gov'... I get temporary failure. That site's been around for years and four other (non-Linode) servers I have resolve without problems. (it failed for a hour late July 2nd, and it's been failing for four hours right now...)

I suspect the nameservers I'm getting via DHCP (74.207.242.5, 74.207.241.5) can resolve most sites, but fails for the above domain... why intermittently?

$ dig www.hpc.ncep.noaa.gov
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32906

yet using google's dns succeeds:

$ dig www.hpc.ncep.noaa.gov @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51063
;; ANSWER SECTION:
www.hpc.ncep.noaa.gov.   86185   IN   CNAME   edge-nws.woc.noaa.gov.
edge-nws.woc.noaa.gov.   85   IN   CNAME   edge-rev.lb.noaa.gov.
edge-rev.lb.noaa.gov.   28   IN   A   140.172.17.23
edge-rev.lb.noaa.gov.   28   IN   A   129.15.96.23
edge-rev.lb.noaa.gov.   28   IN   A   140.90.33.23
edge-rev.lb.noaa.gov.   28   IN   A   140.90.200.23

I suppose I could resort to hard-coded nameservers, but I'm not sure how to do that without resorting to fully static interface definition & I'd prefer to have the Linode nameservers work.

Thoughts?

I'm new to Linode.com -- are their nameservers generally this bad?[/u]

--
- Peter

Edit /etc/dhcp3/dhclient.conf

supersede domain-name-servers 8.8.8.8, 8.8.4.4;

There's plenty of good trouble free nameservers in the world, use which ever ones work best for you.

I have the same problem with ftp.ncep.noaa.gov

It is the first time I have noticed the failure. I wonder if you've found a good solution.


vonskippy,

I couldn't locate
/etc/dhcp3/dhclient.conf

so I modified /etc/resolv.conf
to add
nameserver 8.8.8.8
nameserver 8.8.4.4

It seems to be working fine now.
Hoverver, I've just seen that /etc/resolv.conf is generated by a script

$ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search members.linode.com
nameserver 8.8.8.8
nameserver 8.8.4.4

Will that be modified without warning?, is there a way of preventing further modifications?

Thanks

It might be worth opening a ticket so the Linode folks can take a look at it and perhaps fix it...

_________________

/* TODO: need to add signature to posts */

(the nameservers are working at the moment, so it's difficult to debug. I've also opened a ticket with Linode.)

I note that google's NS 8.8.8.8 doesn't return an "AUTHORITY SECTION" in response to dig, but linode's response does:

$ dig  ftp.ncep.noaa.gov

; <<>> DiG 9.7.3 <<>> ftp.ncep.noaa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45006
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.ncep.noaa.gov.      IN   A

;; ANSWER SECTION:
ftp.ncep.noaa.gov.   19105   IN   CNAME   ftp-ftpprd-woc.lb.noaa.gov.
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.41
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.31

;; AUTHORITY SECTION:
lb.noaa.gov.      86400   IN   NS   ns-e.noaa.gov.
lb.noaa.gov.      86400   IN   NS   ns-nw.noaa.gov.
lb.noaa.gov.      86400   IN   NS   ns-mw.noaa.gov.

;; Query time: 97 msec
;; SERVER: 74.207.242.5#53(74.207.242.5)
;; WHEN: Wed Jul  6 07:45:38 2011
;; MSG SIZE  rcvd: 158

Google's the same, but without AUTHORITY:

$ dig  @8.8.8.8 ftp.ncep.noaa.gov

; <<>> DiG 9.7.3 <<>> @8.8.8.8 ftp.ncep.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30640
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.ncep.noaa.gov.      IN   A

;; ANSWER SECTION:
ftp.ncep.noaa.gov.   69660   IN   CNAME   ftp-ftpprd-woc.lb.noaa.gov.
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.41
ftp-ftpprd-woc.lb.noaa.gov. 30   IN   A   140.90.33.31

;; Query time: 98 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul  6 07:49:17 2011
;; MSG SIZE  rcvd: 99

Note sure if that means anything, but it's a difference!

-Peter

Support suggests the problem is with DNSSEC issues on .gov domains (i.e., some .gov domain's configuration isn't fully correct). Other resolvers, which don't verify the DNSSEC signatures won't see the name resolution problem.

Will continue to monitor.

Thanks for following it up.

j.