1
1
I am running BIND 9.10.3-P4-Ubuntu as an authoritative server for my own domains and to serve DNS for machines in my network.
My problem: I am unable to resolve www.cnn.com.
All other domains seem to work fine.
I realize that there are work-arounds, but I am trying to learn and understand. This problem has me stumped.
What I have tried
dig www.cnn.com
results in a SERVFAIL (full results below) but...
dig www.cnn.com +trace
gives an answer (full results below)
I have debug logging turned on (results below) but am unsure of how to read the results.
named-checkconf came back clean and my syslogs are clean.
rndc reload
did not help.
service bind9 restart
did not help.
root.hints are up-to-date
My Configuration
named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
include "/etc/bind/named.conf.bogus-nets";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
named.conf.bogus-nets
// BIND CONFIG FILE INCLUDE
acl bogus-nets {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
<redacted for brevity>
223.0.0.0/8;
224.0.0.0/3;
};
named.conf.options
acl my-nets {
192.168.1.0/24;
192.168.0.0/24;
127.0.0.1;
};
options {
directory "/var/cache/bind";
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 {none;};
allow-query {my-nets;};
allow-recursion {my-nets;};
allow-query-cache {my-nets;};
blackhole {bogus-nets;};
allow-transfer {none;};
empty-zones-enable yes;
version "Version Redacted";
};
logging {
channel information {
file "/var/log/named/info.log" versions 3 size 500K;
severity debug 10;
print-time yes;
print-severity yes;
print-category yes;
};
category default {information;};
};
controls {
inet 127.0.0.1 allow {localhost;} keys {rndc-key;};
};
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
view "internal" {
match-clients {my-nets;};
zone "." IN {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" IN {
type master;
file "/etc/bind/zones/localhost.zone";
allow-update {none;};
allow-query {my-nets;};
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/etc/bind/zones/0.0.127.in-addr.arpa.zone";
allow-update {none;};
allow-query {my-nets;};
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/zones/1.168.192.in-addr.arpa.zone";
allow-update {none;};
allow-query {my-nets;};
};
zone "mindmelter.org" IN {
type master;
file "/etc/bind/zones/mindmelter.org.internal.zone";
allow-update {none;};
allow-query {my-nets;};
check-names ignore;
};
};
view "external" {
match-clients {any;};
zone "." IN {
type hint;
file "/etc/bind/db.root";
};
zone "mindmelter.org" IN {
type master;
file "/etc/bind/zones/mindmelter.org.external.zone";
allow-update {none;};
allow-query {any;};
check-names ignore;
};
};
File permissions
ls -l /etc/bind/db.root
-rw-r--r-- 1 bind bind 3170 Jul 9 17:26 /etc/bind/db.root
ls -l /etc/bind/zones/
-rw-r--r-- 1 bind bind 534 Jul 19 2014 0.0.127.in-addr.arpa.zone
-rw-r--r-- 1 bind bind 1666 Jul 19 2014 1.168.192.in-addr.arpa.zone
-rw-r--r-- 1 bind bind 466 Jul 19 2014 localhost.zone
-rw-r--r-- 1 bind bind 1104 Nov 29 2015 mindmelter.org.external.zone
-rw-r--r-- 1 bind bind 1224 Jul 10 13:14 mindmelter.org.internal.zone
ls -l /var/cache/bind
total 72020
-rw-r--r-- 1 bind bind 821 Jul 10 13:49 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
-rw-r--r-- 1 bind bind 512 Jul 10 13:49 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl
-rw-r--r-- 1 bind bind 821 Jul 10 13:49 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
-rw-r--r-- 1 bind bind 512 Jul 10 13:49 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl
-rw------- 1 bind bind 73723904 Sep 3 2015 core
-rw-r--r-- 1 bind bind 720 Jul 19 2014 managed-keys.bind
-rw-r--r-- 1 bind bind 512 Jul 19 2014 managed-keys.bind.jnl
Root Hints (/etc/bind/db.root)
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: March 23, 2016
; related version of root zone: 2016032301
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file
Command Output
dig www.cnn.com
dig www.cnn.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24330
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cnn.com. IN A
;; Query time: 260 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Sun Jul 10 14:00:11 CDT 2016
;; MSG SIZE rcvd: 40
dig www.cnn.com +trace
dig www.cnn.com +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.cnn.com +trace
;; global options: +cmd
. 470071 IN NS k.root-servers.net.
. 470071 IN NS c.root-servers.net.
. 470071 IN NS d.root-servers.net.
. 470071 IN NS e.root-servers.net.
. 470071 IN NS g.root-servers.net.
. 470071 IN NS l.root-servers.net.
. 470071 IN NS f.root-servers.net.
. 470071 IN NS m.root-servers.net.
. 470071 IN NS a.root-servers.net.
. 470071 IN NS h.root-servers.net.
. 470071 IN NS j.root-servers.net.
. 470071 IN NS i.root-servers.net.
. 470071 IN NS b.root-servers.net.
. 514339 IN RRSIG NS 8 0 518400 20160720170000 20160710160000 46551 . ZrHKtz6uJX2ljRgkPEmXUHDuuskMmqNQTqndwpQvKimBvng8B4qCK5Mt hg6tBfmJM7Wk53NnDYoJRk1Q++OKoYYZf+njKhcPbrGa2D+rDuPOyOJz 4ussO1AZdg+H4JsZ9/OR3TfUYS4lfG8Ov6u4lc2R1y2tWqTKFif20WMC 8TM=
;; Received 955 bytes from 192.168.1.2#53(192.168.1.2) in 1 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20160720170000 20160710160000 46551 . TtxKBdFbscgs26hOkVaP5DV5bvrczgFJ91Vq79iRhvRu5PveAjT8af8G yF0+JZMUAXyMbU7uxhgs0Rpec7ldBu/palvN9edTXZTUmmRCHiCoJwSX 46nzphAUeWh6+BB8FRZl6FpRMaSfZ02Vd3f3pxabNzLYtHzsizMXAOBv 8go=
;; Received 735 bytes from 192.5.5.241#53(f.root-servers.net) in 102 ms
cnn.com. 172800 IN NS ns1.timewarner.net.
cnn.com. 172800 IN NS ns3.timewarner.net.
cnn.com. 172800 IN NS ns1.p42.dynect.net.
cnn.com. 172800 IN NS ns2.p42.dynect.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20160717050355 20160710035355 34745 com. FRl3kWjrLQDbv3KST9JdLeQN0FgGqik8Pau80HDFSwQV9ON0D9L9CnyT 3qLHbgsh8MMt9ma0AnxjnfZx00YoRySt+0vwQfzk0/7Z6pTeyXEZCBQU 9we3XmqWg56sIDVDK3KKyTaPE2mJUZjweRpuvv3RsfjQ7qHeDeFR/spT eNk=
FVT71LMDJ71M5N4BBJG7S42QT4H2K0VS.com. 86400 IN NSEC3 1 1 0 - FVT8070RVMMN14H33TU31073GPDT89UQ NS DS RRSIG
FVT71LMDJ71M5N4BBJG7S42QT4H2K0VS.com. 86400 IN RRSIG NSEC3 8 2 86400 20160717050135 20160710035135 34745 com. XdoDYW/ILABlYX21xe4D5WJRQBBMR2Gk8Bqx//x/IgjyqgmXEmsVqhty DMBS3+Sra4lsqdXHewRekfcTVCuawRp/2tA1qNZRKsOw/uQLT5RAgBqC uCNr6wnJi41B8tnbZIeqikajlao1ie0MvjwIqQC3TLknGiz1gFDMYSNi LKg=
;; Received 686 bytes from 192.43.172.30#53(i.gtld-servers.net) in 100 ms
www.cnn.com. 300 IN CNAME turner.map.fastly.net.
;; Received 75 bytes from 204.74.108.238#53(ns1.timewarner.net) in 56 ms
dig turner.map.fastly.net +trace
dig turner.map.fastly.net +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> turner.map.fastly.net +trace
;; global options: +cmd
. 470021 IN NS e.root-servers.net.
. 470021 IN NS m.root-servers.net.
. 470021 IN NS c.root-servers.net.
. 470021 IN NS i.root-servers.net.
. 470021 IN NS h.root-servers.net.
. 470021 IN NS j.root-servers.net.
. 470021 IN NS k.root-servers.net.
. 470021 IN NS g.root-servers.net.
. 470021 IN NS d.root-servers.net.
. 470021 IN NS b.root-servers.net.
. 470021 IN NS l.root-servers.net.
. 470021 IN NS f.root-servers.net.
. 470021 IN NS a.root-servers.net.
. 514289 IN RRSIG NS 8 0 518400 20160720170000 20160710160000 46551 . ZrHKtz6uJX2ljRgkP hg6tBfmJM7Wk53NnDYoJRk1Q++OKoYYZf+njKhcPbrGa2D+rDuPOyOJz 4ussO1AZdg+H4JsZ9/OR3TfUYS4lfG8Ov6u4lc2R1y2tWqTKFif20WMC 8T
;; Received 955 bytes from 192.168.1.2#53(192.168.1.2) in 2 ms
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8B
net. 86400 IN RRSIG DS 8 1 86400 20160720170000 20160710160000 46551 . TVBcfHmkbx7KPHEMYGQ8ryWqxNk9WC1ETGLShz4Bau52UwyQbv2sZsejbpQMKnvOaJ7TPBOMDL cHcFhOD/3KMHZiora4vx97BY5E4mnvh8YgYK3mFzXXLolRjCpO66oALk E9I
;; Received 742 bytes from 199.7.83.42#53(l.root-servers.net) in 74 ms
fastly.net. 172800 IN NS ns1.p04.dynect.net.
fastly.net. 172800 IN NS ns3.p04.dynect.net.
fastly.net. 172800 IN NS ns2.p04.dynect.net.
fastly.net. 172800 IN NS ns4.p04.dynect.net.
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSE
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20160717053023 20160710042023 50762 net. LfZBm/4vXKsi/ANaS s76lSOHLdUOF08JNpzq0uBuyTEjBS6GQFUg1ruUu2C/npgwBRxQPdMAX 6A3h+3vx9rju2frD00lI41G4IH/q83pdlAVsY6IUD02CwWuo8
AP1UQVEE3B7Q9OKM1F1UC6DRCTSUHETP.net. 86400 IN NSEC3 1 1 0 - AP2M7NDEO91A3DEM6A6I602B2AEO284F NS DS RRSIG
AP1UQVEE3B7Q9OKM1F1UC6DRCTSUHETP.net. 86400 IN RRSIG NSEC3 8 2 86400 20160717052608 20160710041608 50762 net. uFfWQLYJvssA3GHA0 HgkMVRpBvzE2lZTrwUHT8wkpIF7PrLJZ1/EC07JekoFQlgkI7C4O4HqS v9KiS4fwakyuCvMvqHunnVx3bFjaZHzJZRJRwIrkS270H6vMb
;; Received 682 bytes from 192.42.93.30#53(g.gtld-servers.net) in 84 ms
turner.map.fastly.net. 30 IN CNAME prod.turner.map.fastlylb.net.
;; Received 89 bytes from 204.13.251.4#53(ns4.p04.dynect.net) in 55 ms
dig prod.turner.map.fastlylb.net +trace
dig prod.turner.map.fastlylb.net +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> prod.turner.map.fastlylb.net +trace
;; global options: +cmd
. 469985 IN NS k.root-servers.net.
. 469985 IN NS l.root-servers.net.
. 469985 IN NS f.root-servers.net.
. 469985 IN NS d.root-servers.net.
. 469985 IN NS c.root-servers.net.
. 469985 IN NS a.root-servers.net.
. 469985 IN NS j.root-servers.net.
. 469985 IN NS m.root-servers.net.
. 469985 IN NS g.root-servers.net.
. 469985 IN NS b.root-servers.net.
. 469985 IN NS e.root-servers.net.
. 469985 IN NS h.root-servers.net.
. 469985 IN NS i.root-servers.net.
. 514253 IN RRSIG NS 8 0 518400 20160720170000 20160710160000 46551 . ZrHKtz6uJX2ljRgkPEmXUHDuuskMmqNQTqndwpQvKimBvng8B4qCK5Mt hg6tBfmJM7Wk53NnDYoJRk1Q++OKoYYZf+njKhcPbrGa2D+rDuPOyOJz 4ussO1AZdg+H4JsZ9/OR3TfUYS4lfG8Ov6u4lc2R1y2tWqTKFif20WMC 8TM=
;; Received 955 bytes from 192.168.1.2#53(192.168.1.2) in 1 ms
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 86400 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net. 86400 IN RRSIG DS 8 1 86400 20160720170000 20160710160000 46551 . TVBcfHmkbx7KPHEMYGhoh/YVWuae16dznm2kScbPP6W7sLknlF4hnxcD Q8ryWqxNk9WC1ETGLShz4Bau52UwyQbv2sZsejbpQMKnvOaJ7TPBOMDL cHcFhOD/3KMHZiora4vx97BY5E4mnvh8YgYK3mFzXXLolRjCpO66oALk E9I=
;; Received 749 bytes from 198.41.0.4#53(a.root-servers.net) in 79 ms
fastlylb.net. 172800 IN NS ns1.fastlylb.net.
fastlylb.net. 172800 IN NS ns2.fastlylb.net.
fastlylb.net. 172800 IN NS ns3.fastlylb.net.
fastlylb.net. 172800 IN NS ns4.fastlylb.net.
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20160717053023 20160710042023 50762 net. LfZBm/4j+WvVDIDZZn3fBMV4nSM1bW1Ea7ptxthzgdvR6dvXKsi/ANaS s76lSOHLdUOF08JNpzq0uBuyTEjBS6GQFUg1ruUu2C/npgwBRxQPdMAX 6A3h+3vx9rju2frD00lI41G4IH/q83pdlAVsY6IUD02CwWuo8TLuglyB tMo=
IVGF9TD77VU6QETUUOLS7T84VMH1S5E7.net. 86400 IN NSEC3 1 1 0 - IVGV4AU40DKCA1FI0Q6UIFCTE1CUIIAP NS DS RRSIG
IVGF9TD77VU6QETUUOLS7T84VMH1S5E7.net. 86400 IN RRSIG NSEC3 8 2 86400 20160714052000 20160707041000 50762 net. KxuPdbkmroRr/KSmGBQd27iZaWb1rMzcotXAt8g3PXm9jH6JeQu5HtmD VqzGw/uuwfxrcEZ5HMfttThAqU43FD9ZD0miwIckVUQz8rbLpFSKTYK7 ai/hdsTh+obZpEiDY0hSV1NNsUae7e7xtXctxjvQufKECa65HCqgzGTw r4k=
;; Received 678 bytes from 192.41.162.30#53(l.gtld-servers.net) in 80 ms
prod.turner.map.fastlylb.net. 30 IN A 151.101.44.73
;; Received 73 bytes from 104.156.84.32#53(ns4.fastlylb.net) in 55 ms
BIND log file /var/log/named/info.log
This is showing the SERVFAIL from dig www.cnn.com.
10-Jul-2016 14:01:35.208 client: debug 3: client 192.168.1.2#45833: UDP request
10-Jul-2016 14:01:35.208 client: debug 5: client 192.168.1.2#45833: view internal: using view 'internal'
10-Jul-2016 14:01:35.208 security: debug 3: client 192.168.1.2#45833: view internal: request is not signed
10-Jul-2016 14:01:35.208 security: debug 3: client 192.168.1.2#45833: view internal: recursion available
10-Jul-2016 14:01:35.208 client: debug 3: client 192.168.1.2#45833: view internal: query
10-Jul-2016 14:01:35.208 client: debug 10: client 192.168.1.2#45833 (www.cnn.com): view internal: ns_client_attach: ref = 1
10-Jul-2016 14:01:35.209 security: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: query (cache) 'www.cnn.com/A/IN' approved
10-Jul-2016 14:01:35.209 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: replace
10-Jul-2016 14:01:35.209 general: debug 3: clientmgr @0x7f71ff5e8458: get client
10-Jul-2016 14:01:35.209 general: debug 3: clientmgr @0x7f71ff5e8458: recycle
10-Jul-2016 14:01:35.209 resolver: debug 1: fetch: turner.map.fastly.net/A
10-Jul-2016 14:01:35.209 client: debug 3: client @0x7f71e0000f60: udprecv
10-Jul-2016 14:01:35.209 resolver: debug 10: log_ns_ttl: fctx 0x7f71e80ca040: fctx_create: turner.map.fastly.net (in 'fastly.NET'?): 1 125746
10-Jul-2016 14:01:35.265 resolver: debug 10: received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23686
;; flags: qr aa; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;turner.map.fastly.net. IN A
;; ANSWER SECTION:
;turner.map.fastly.net. 30 IN CNAME prod.turner.map.fastlylb.net.
10-Jul-2016 14:01:35.265 dnssec: debug 3: validating turner.map.fastly.net/CNAME: starting
10-Jul-2016 14:01:35.265 dnssec: debug 3: validating turner.map.fastly.net/CNAME: attempting insecurity proof
10-Jul-2016 14:01:35.265 dnssec: debug 3: validating turner.map.fastly.net/CNAME: checking existence of DS at 'net'
10-Jul-2016 14:01:35.265 dnssec: debug 3: validating turner.map.fastly.net/CNAME: checking existence of DS at 'fastly.net'
10-Jul-2016 14:01:35.265 dnssec: debug 3: validating turner.map.fastly.net/CNAME: marking as answer (proveunsecure (4))
10-Jul-2016 14:01:35.265 dnssec: debug 4: validator @0x7f71e8048c70: dns_validator_destroy
10-Jul-2016 14:01:35.265 database: debug 5: dns_adb_destroyfind on find 0x7f71e03f52c0
10-Jul-2016 14:01:35.265 database: debug 5: dns_adb_destroyfind on find 0x7f71e08fa220
10-Jul-2016 14:01:35.265 database: debug 5: dns_adb_destroyfind on find 0x7f71e03d92c0
10-Jul-2016 14:01:35.265 database: debug 5: dns_adb_destroyfind on find 0x7f71e08ffa90
10-Jul-2016 14:01:35.265 resolver: debug 1: fetch: prod.turner.map.fastlylb.net/A
10-Jul-2016 14:01:35.265 resolver: debug 10: log_ns_ttl: fctx 0x7f71f04ba858: fctx_create: prod.turner.map.fastlylb.net (in 'fastlylb.NET'?): 1 125747
10-Jul-2016 14:01:35.265 database: debug 5: expiring v4 for name 0x7f71e08f1bb0
10-Jul-2016 14:01:35.265 database: debug 5: dns_adb_createfind: found A for name ns1.fastlylb.net (0x7f71e08f1bb0) in db
10-Jul-2016 14:01:35.265 database: debug 5: expiring v4 for name 0x7f71e08f1a80
10-Jul-2016 14:01:35.265 database: debug 5: dns_adb_createfind: found A for name ns2.fastlylb.net (0x7f71e08f1a80) in db
10-Jul-2016 14:01:35.266 database: debug 5: expiring v4 for name 0x7f71e08f1950
10-Jul-2016 14:01:35.266 database: debug 5: dns_adb_createfind: found A for name ns3.fastlylb.net (0x7f71e08f1950) in db
10-Jul-2016 14:01:35.266 database: debug 5: expiring v4 for name 0x7f71e08f5fd0
10-Jul-2016 14:01:35.266 database: debug 5: dns_adb_createfind: found A for name ns4.fastlylb.net (0x7f71e08f5fd0) in db
10-Jul-2016 14:01:35.266 database: debug 5: dns_adb_destroyfind on find 0x7f71e03f52c0
10-Jul-2016 14:01:35.266 database: debug 5: dns_adb_destroyfind on find 0x7f71e08ffa90
10-Jul-2016 14:01:35.266 database: debug 5: dns_adb_destroyfind on find 0x7f71e08fa220
10-Jul-2016 14:01:35.266 database: debug 5: dns_adb_destroyfind on find 0x7f71e03d92c0
10-Jul-2016 14:01:35.266 query-errors: debug 1: client 192.168.1.2#45833 (www.cnn.com): view internal: query failed (SERVFAIL) for www.cnn.com/IN/A at ../../../bin/named/query.c:7769
10-Jul-2016 14:01:35.266 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: error
10-Jul-2016 14:01:35.266 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: send
10-Jul-2016 14:01:35.266 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: sendto
10-Jul-2016 14:01:35.266 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: senddone
10-Jul-2016 14:01:35.266 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: next
10-Jul-2016 14:01:35.266 client: debug 10: client 192.168.1.2#45833 (www.cnn.com): view internal: ns_client_detach: ref = 0
10-Jul-2016 14:01:35.266 client: debug 3: client 192.168.1.2#45833 (www.cnn.com): view internal: endrequest
10-Jul-2016 14:01:35.266 query-errors: debug 2: fetch completed at ../../../lib/dns/resolver.c:3660 for prod.turner.map.fastlylb.net/A in 0.000632: SERVFAIL/success [domain:fastlylb.NET,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Keith M.
Posted 2016-07-10T20:32:41.207
Reputation: 11
The difference between doing
digwith+traceand without is whether dig follows the delegation itself or just lets the server it talks to do it all. So the initial distinction shows that the data is correct and you can get to it, but that the server (@192.168.1.2) doesn't follow it. I can't quite figure out from the log what went wrong. My approach would be to try related lookups, the+traceoutput tells you what they should be, e.g. start withdig ns cnn.comto see if it can get the right ns records. – MAP – 2016-07-11T02:52:34.277It breaks down in finding the nameserver for fastlylb.net. – Keith M. – 2016-07-11T06:04:21.847
dig NS fastlylb.netresults in SERVFAIL whereasdig @a.gtld-servers.net NS fastlylb.netis successful. Thoughts? – Keith M. – 2016-07-11T06:10:30.787OK, it looks like the fastly folks have some kind of complex cross linked nameserver setup, and it's not quite right (various places have different lists of NS for various domains). But, it's now 4AM here and my brain is no longer up to figuring out this complex a setup, so I'm just going to have to leave you with the hope that it's something in transition (it sure looks like that to me), and the fastly folks will have it right, eventually. I'm not sure why it's only affecting your server, that usually happens when a server picks up an inconsistent state, but restarting should of fixed that. – MAP – 2016-07-11T07:44:15.550