2

I have Ubuntu 12.04 with BIND9, working just as a caching server (forwarding to 8.8.8.8).

When I use, for example, dig +norecurse @l.root-servers.net www.uniroma1.it, I obtain the following output

; <<>> DiG 9.8.1-P1 <<>> +norecurse @l.root-servers.net www.uniroma1.it

; (1 server found)

;; global options: +cmd

;; connection timed out; no servers could be reached

Using Wireshark I discovered that the outgoing queries are correct, but there aren't any incoming answers. Why?

P.S. Using simply dig www.uniroma1.it I obtain the correct answers.

Improve this question
2
  • 3
    I asume that when you use just dig without @<nameserver> it uses your own dns server that you setup and specified in /etc/resolv.conf? Did you firewall yourself? Commented Nov 15, 2012 at 12:44
  • In /etc/resolv.conf is present only the 127.0.0.1 server, and I think it's right. I've no firewall, but probably my ISP does. Commented Nov 16, 2012 at 19:47

3 Answers 3

Reset to default
2

Your command works fine here. My guess is that a firewall, either at your location or at your ISP, is blocking the DNS requests or responses. The normal dig www.uniroma1.it likely works because said firewall is allowing requests to certain servers, like the ones provided by your ISP and maybe 8.8.8.8.

Improve this answer
2

The Root servers will not answer queries for domains that they are not authoritative for. If you run the command without the +norecurse argument, it should return a list of referrals for the .it domain. You will never get an A record response from the Root servers.

Improve this answer
5
  • 1
    But you should get NS records in an AUTHORITY section, not "connection timed out". Commented Nov 15, 2012 at 15:43
  • @Jim Paris But my answer wasnt wrong. Why did you down vote it? You only answered part of the question yourself. You didnt address the fact that he was querying the root servers directly, which was the first part of his problem Commented Nov 26, 2012 at 13:01
  • I downvoted because it is wrong. The root servers will answer queries, with a NS record pointing to the next server in the hierarchy that may be able to answer. They will not simply drop queries and send no response, which is what the asker was seeing. Commented Nov 26, 2012 at 18:31
  • I never said that it will drop queries. No where in my answer said it will drop queries. If you can point out in my answer where I said that it will drop queries, you can have those points. If you read further you will see that I mentioned that root will give referrals for the .it domain. I didn't specifically address his time out issue. I addressed the fact that he was asking root for an A record. Commented Nov 28, 2012 at 13:34
  • You said: "Root servers will not answer queries". The root server will answer. It will say, "I don't know, here are the nameservers to ask next." Anyway, regardless of how nitpicky you want to get, your answer was not useful, which is exactly what a downvote is for. The asker was having problems with a firewall blocking replies, and you discussed unrelated details about how root nameservers don't include A responses in their answers. Commented Nov 28, 2012 at 19:19
0

In the case that dig @nameserver domain.example.com does not work for specific nameservers only, while working for the large majority of them, it can also be an issue of that nameserver blocking traffic from some sources. They probably only want to answer to other nameservers (?). Obviously that's bad behavior because it makes debugging DNS issues harder.

This does not apply to the root server example posted in the question. But, for example, I see this behavior consistently with the nameservers of DNS hoster DomainDiscount24:

dig @ns1.domaindiscount.net example.com

; <<>> DiG 9.11.5-P4-5.1ubuntu2.2-Ubuntu <<>> @ns1.domaindiscount.net example.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

(Using example.com is an example, but even that should yield an answer pointing me to the right nameserver for the example.com domain. But the same behavior as shown above applies when using a domain actually hosted at DomainDiscount24.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.