Secondary DNS problem

[uhhu]

When is the secondary DNS supposed to be queried? For at least one URL (forum.worldpuzzle.org), my ISP's primary DNS returns "server failure" and then SL sends the query again to the primary DNS resulting in another "server failure". Shouldn't the second query be sent to the secondary DNS instead? I used Wireshark to check what is going on.

The same happens with all my Scientific Linux machines. I have also checked in VirtualBox:

• SL 6.2 liveCD: same problem
• CentOS 6.2 liveCD: same problem
• Ubuntu 10.04 liveCD: works OK

Is there a bug in Scientfic Linux (and CentOS), or is my ISP's DNS working incorrectly?

[Curmudgeon]

QUOTE (uhhu @ Jul 1 2012, 06:15 AM)

When is the secondary DNS supposed to be queried?

Any time a lookup fails in the primary.

QUOTE (uhhu @ Jul 1 2012, 06:15 AM)

Is there a bug in Scientfic Linux (and CentOS), or is my ISP's DNS working incorrectly?

There's at least one other possibility you've not considered.

Post the results of

CODE

cat /etc/resolv.conf

[uhhu]

QUOTE (Curmudgeon @ Jul 1 2012, 10:07 PM)

QUOTE (uhhu @ Jul 1 2012, 06:15 AM) When is the secondary DNS supposed to be queried? Any time a lookup fails in the primary.

The primary is up and replies with "Standard query response, Server failure" (text in the Info column in Wireshark). Is that a failed lookup? Ubuntu thinks it is but SL does not.

QUOTE (Curmudgeon @ Jul 1 2012, 10:07 PM)

Post the results of CODE cat /etc/resolv.conf

CODE

# Generated by NetworkManager nameserver 62.241.198.245 nameserver 62.241.198.246

Those are using "Automatic (DHCP)". If I change it to "Automatic (DHCP) addresses only" and manually reverse the order of the nameservers, I can go to forum.worldpuzzle.org. But then I cannot go to www.worldpuzzle.org.

I now tested with a live CD in a real machine (not VirtualBox) and there is an additional line in the file: "search localdomain".

I also tested with a Windows XP machine: works OK.

[tux99]

Can you post the output of:
dig forum.worldpuzzle.org

[uhhu]

CODE

$ dig forum.worldpuzzle.org ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> forum.worldpuzzle.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55610 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;forum.worldpuzzle.org.  IN A ;; Query time: 145 msec ;; SERVER: 62.241.198.245#53(62.241.198.245) ;; WHEN: Mon Jul  2 01:56:14 2012 ;; MSG SIZE  rcvd: 39

Edit >>>
And the output of the secondary nameserver (that SL does not query):

CODE

$ dig @62.241.198.246 forum.worldpuzzle.org ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> @62.241.198.246 forum.worldpuzzle.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59028 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;forum.worldpuzzle.org.  IN A ;; ANSWER SECTION: forum.worldpuzzle.org. 34608 IN A 83.240.9.72 ;; AUTHORITY SECTION: worldpuzzle.org. 34608 IN NS dns1.gnax.net. ;; Query time: 13 msec ;; SERVER: 62.241.198.246#53(62.241.198.246) ;; WHEN: Mon Jul  2 02:02:27 2012 ;; MSG SIZE  rcvd: 82

[tux99]

Hmm, can you also post the output of:
nslookup forum.worldpuzzle.org

Also what client application were you using originally (before you wrote the first post) to do these tests in SL, Centos and Ubuntu?

[uhhu]

QUOTE (tux99 @ Jul 2 2012, 01:28 AM)

Hmm, can you also post the output of: nslookup forum.worldpuzzle.org

CODE

$ nslookup forum.worldpuzzle.org ;; Got SERVFAIL reply from 62.241.198.245, trying next server Server:  62.241.198.246 Address: 62.241.198.246#53 Non-authoritative answer: Name: forum.worldpuzzle.org Address: 83.240.9.72

QUOTE (tux99 @ Jul 2 2012, 01:28 AM)

Also what client application were you using originally (before you wrote the first post) to do these tests in SL, Centos and Ubuntu?

Firefox (10.0.5 and the live CD's default) and elinks on the machines with installed SL.

[tux99]

It seems that in case of SERVFAIL it's the client app that's responsible to retry with the second ns, that's why nslookup succeeds and dig fails when the first ns returns SERVFAIL.
If the first ns would simply time out then the glibc resolver would automatically try the second ns, but with SERVFAIL it seems that's not the case.

See this:
http://serverfault.com/questions/398837/second-nameserver-in-etc-resolv-conf-not-picked-up-by-wget

Note: I haven't looked at the source code of the glibc resolver so this might not be correct.

[uhhu]

OK, I did not change anything but now I get:

CODE

$ dig forum.worldpuzzle.org ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> forum.worldpuzzle.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6023 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;forum.worldpuzzle.org.  IN A ;; ANSWER SECTION: forum.worldpuzzle.org. 37413 IN A 83.240.9.72 ;; AUTHORITY SECTION: worldpuzzle.org. 37413 IN NS dns1.gnax.net. ;; Query time: 9 msec ;; SERVER: 62.241.198.245#53(62.241.198.245) ;; WHEN: Mon Jul  2 03:56:22 2012 ;; MSG SIZE  rcvd: 82

CODE

$ dig www.worldpuzzle.org ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> www.worldpuzzle.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51109 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.worldpuzzle.org.  IN A ;; Query time: 148 msec ;; SERVER: 62.241.198.245#53(62.241.198.245) ;; WHEN: Mon Jul  2 03:56:28 2012 ;; MSG SIZE  rcvd: 37

CODE

$ nslookup forum.worldpuzzle.org Server:  62.241.198.245 Address: 62.241.198.245#53 Non-authoritative answer: Name: forum.worldpuzzle.org Address: 83.240.9.72

CODE

$ nslookup www.worldpuzzle.org ;; Got SERVFAIL reply from 62.241.198.245, trying next server ;; Got SERVFAIL reply from 62.241.198.245, trying next server Server:  62.241.198.246 Address: 62.241.198.246#53 ** server can't find www.worldpuzzle.org: SERVFAIL

This time nslookup failed to find www.worldpuzzle.org on either server. Doesn't this imply there must be something wrong with the nameservers.

[tux99]

QUOTE (uhhu @ Jul 2 2012, 03:16 AM)

This time nslookup failed to find www.worldpuzzle.org on either server. Doesn't this imply there must be something wrong with the nameservers.

Maybe the SERVFAIL problem is related to IPv6 <> IPv4 interference?

Try disabling IPv6 on your SL machine (unless of course you are using IPv6 on your network):
http://scientificlinuxforum.org/index.php?showtopic=1376

[Curmudgeon]

QUOTE (uhhu @ Jul 1 2012, 06:16 PM)

Doesn't this imply there must be something wrong with the nameservers.

Easy way to find out; switch over to OpenDNS (or Google's, if you don't mind adding to their extensive collection of things they know about you).

OpenDNS servers:

208.67.222.222
208.67.220.220

I'd also second tux99's suggestion about disabling IPv6 if at all practical. It solves a multitude of DNS-related problems.

[uhhu]

QUOTE (tux99 @ Jul 2 2012, 04:09 AM)

Maybe the SERVFAIL problem is related to IPv6 <> IPv4 interference? Try disabling IPv6 on your SL machine (unless of course you are using IPv6 on your network): http://scientificlinuxforum.org/index.php?showtopic=1376

I tried that by starting the live CD with ipv6.disable=1 in startup options. That seems to solve the secondary nameserver (non)query problem at least in browsers, now Firefox and elinks query the secondary server if the primary replies SERVFAIL.

OK, I managed to solve the problem in Firefox (and without starting the system with ipv6.disable=1). In about:config, I changed the network.dns.disableIPv6 setting to true.

[tux99]

QUOTE (uhhu @ Jul 2 2012, 06:40 PM)

OK, I managed to solve the problem in Firefox (and without starting the system with ipv6.disable=1). In about:config, I changed the network.dns.disableIPv6 setting to true.

Good to know, this is a strong indication that the problem was caused by IPv6 from the beginning.

I highly recommend you to disable IPv6 not just in Firefox but also in the kernel (ipv6.disable=1 in grub as explained).

[uhhu]

Although I was able to solve my problem by adding ipv6.disable=1 in /boot/grub/grub.conf, I decided to compare the behavior of

• SL 6.2 live CD
• SL 5.7 live CD

I used the command: links forum.worldpuzzle.org with the following Wireshark results.

SL 6.2 live CD, default boot options, links 0.12pre5; edited and grouped for clarity:

CODE

--> 1st DNS: Standard query A forum.worldpuzzle.org --> 1st DNS: Standard query AAAA forum.worldpuzzle.org <-- 1st DNS: Standard query response, Server failure <-- 1st DNS: Standard query response, Server failure --> 1st DNS: Standard query A forum.worldpuzzle.org --> 1st DNS: Standard query AAAA forum.worldpuzzle.org <-- 1st DNS: Standard query response, No such name <-- 1st DNS: Standard query response, No such name (total time: 0.2 s)

SL 5.7 live CD, default boot options. links 0.11.1; edited and grouped for clarity:

CODE

--> 1st DNS: Standard query AAAA forum.worldpuzzle.org <-- 1st DNS: Standard query response, Server failure --> 2nd DNS: Standard query AAAA forum.worldpuzzle.org <-- 2nd DNS: Standard query response --> 1st DNS: Standard query AAAA forum.worldpuzzle.org <-- 1st DNS: Standard query response, Server failure --> 2nd DNS: Standard query AAAA forum.worldpuzzle.org <-- 2nd DNS: Standard query response --> 1st DNS: Standard query A forum.worldpuzzle.org <-- 1st DNS: Standard query response, Server failure --> 2nd DNS: Standard query A forum.worldpuzzle.org <-- 2nd DNS: Standard query response A 83.240.9.72 (total time: 0.5 s)

Any idea where the bug is? SL 6 networking (ipv6), the browser, my ISP's DNS, or where?