DCSportbikes.net  
» Help Support .NET!
DCSportbikes Premier Membership for 25$ per year. Discounts! Click here for full information.

Now available in the .NET Shop:



Get your DCSBN Gear!
» Shoutbox
Sorry, only registered users have the ability to use our real-time shoutbox to chat with other members.

Register now, it's free!
» Online Users: 536
3 members and 533 guests
2blueyam, nootherids, TTViper
Most users ever online was 4,519, September 2, 2015 at 03:26 AM.
Go Back   DCSportbikes.net > Non-Sportbike Forums > Non-Sportbike Chat

Reply
LinkBack Thread Tools
Unread
  (#1)
boxing twins
 
hayabusafiend's Avatar
 
Posts: 581
Join Date: April 6, 2003
Location: Northern California
February 13, 2004, 02:50 PM

I've hit a troubleshooting wall, and I could use some help from the geeks. I'll graciously provide beer to whomever helps the most.

I'm setting up a second DNS server running BIND and it fails to lookup certain hosts, specifically wwws.sun.com (the wwws is not a typo).

Servers:
1) BIND8 on Solaris 2.6 = nslookup SUCCESSFUL for wwws.sun.com
2) DNS on Win2K = nslookup SUCCESSFUL for wwws.sun.com
3) BIND8 on Solaris 2.8 = nslookup 'TIMEOUT' for wwws.sun.com

Details:
Server 1: BIND8 is likely hacked by the previous IT network Nazi. I don't trust the system, so I'm replacing it. Moreover, we don't have a secondary DNS server.
Server 2: Internal DNS/WINS/AD server running SP3.
Server 3: BIND8 is right out of the box from Sun. 2.8 has the latest clusterpatch applied.

Troubleshooting:
a) the only server with a public reverse is #1
b) server #1 is outside the firewall
c) servers #2 & #3 are inside the firewall
d) all internal devices are allowed full outbound IP
e) no port 53 (DNS) traffic is allowed inbound thru the firewall
f) 'nslookup -debug' doesn't tell me much about the timeout on server 3.
g) named.conf below

Anyone run into this before with an out of the box Solaris install?

icebreaker% uname -a
SunOS icebreaker 5.8 Generic_108528-29 sun4u sparc SUNW,Ultra-5_10

icebreaker% cat /etc/named.conf
// nameserver bootfile

options {
directory "/var/named";
pid-file "/var/named/named.pid";
// query-source address * port 53;
allow-transfer {
x.x.x.x;
};
};

//
// prime the cache
//
zone "." {
type hint;
file "root.cache";
};

//
zone "tsi-telsys.com" {
type master;
file "tsi-telsys.zone";
};

zone "tsitelsys.com" {
type master;
file "tsitelsys.zone";
};

zone "y.y.y.IN-ADDR.ARPA" {
type master;
file "tsi-telsys.rev";
};

zone "x.x.x.IN-ADDR.ARPA" {
type master;
file "tsidmz.rev";
};

//
zone "localhost" {
type master;
file "local.zone";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "local.rev";
};
logging {
channel xfer-log {
file "/var/tmp/named-xfer.log" versions unlimited size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
// category lame-servers { null; };
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
// category security { xfer-log; };
// category general { xfer-log; };
// category resolver { xfer-log; };
// category network { xfer-log; };

};
//
icebreaker%


-- Chris
BMW R1100s
(previous rides: '82 KTM250, '95 CBR600F3, '98 Buell S3T, 2000 Hayabusa, 2008 R1200R)

"Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke
  Send a message via AIM to Send a message via AIM to hayabusafiend  
Reply With Quote
Unread
  (#2)
Happiness Consultant
 
EduardoSuave's Avatar
 
Posts: 7,231
Join Date: August 31, 2003
Location: The LC
February 13, 2004, 03:23 PM

I'm no DNS expert, but I'd start with ruling out physical/network connectivity.

you didn't mention this but since #1 and #2 can resolve wwws.sun.com, you should get an IP for it. use that to ping and traceroute from #3, you said all internal machines have full outbound so that should allow for ICMP in which case, successful pings and traces should eliminate the first three layers from your problem and then you could look more at the configuration of #3.

have you also tried using snoop during the nslookup, ping and traceroute? you should be able to this from the firewall and #3 too to track the nslookup initiated at #3

also, is #3 the new server? just wondering cos you might want to check the FW for a rule that allows TCP/UDP 53 specifically for the DNS servers but denied for others. if #3 is new, it may not be in that ruleset yet. (I've actually seen this).

good luck.


DBR
#135, #47, Vega
--
"Never contract friendship with a man that is not better than thyself." - Confucius

Will pay to see this
whatever henry's name is these days: jason, seriously, im going to kick your face in when I get back
  Send a message via AIM to Send a message via AIM to EduardoSuave  
Reply With Quote
Unread
  (#3)
www.got-one.com
 
gotone's Avatar
 
Posts: 419
Join Date: October 28, 2003
Location: Northern VA
February 20, 2004, 09:32 PM

1st hopefully you found a solution already but, I'm no help I am about as anti *nix as nixxers are anti-MS

but 2nd what ever happened to Techradio on 106 ??... I loved that show...
  Send a message via AIM to Send a message via AIM to gotone  
Reply With Quote
Unread
  (#4)
boxing twins
 
hayabusafiend's Avatar
 
Posts: 581
Join Date: April 6, 2003
Location: Northern California
February 21, 2004, 07:17 AM

I didn't solve the problem, but it doesn't matter. That box is an external DNS to answer A & MX queries for my work domain.

Three guesses why I used Solaris instead of Microsoft. Can you say hackers three times fast?

Microsoft: the never ending circle of pain

I hadn't even heard of TechRadio on 106.


-- Chris
BMW R1100s
(previous rides: '82 KTM250, '95 CBR600F3, '98 Buell S3T, 2000 Hayabusa, 2008 R1200R)

"Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke
  Send a message via AIM to Send a message via AIM to hayabusafiend  
Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Powered by vBadvanced CMPS v3.2.3


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0
vBulletin Skin developed by: vBStyles.com
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest 2002-2010 by DCSportbikes.net. DCSportbikes.net is owned by End of Time Studios, LLC.