Bug in NSLOOKUP ??

M

MattG

I am having problems querying the djbdns servers that are hosting secondary
zones of my Windows Server 2003 (non-AD int) hosted primary zone(s).

nslookup fails to return a cname record unless the debug option has been
set:

Without debug:
server ns0.gradwell.com
Click to expand...
Default Server: ns0.gradwell.com
Address: 193.111.200.7
www.grovesfamily.co.uk
Click to expand...
Server: ns0.gradwell.com
Address: 193.111.200.7

DNS request timed out.
timeout was 2 seconds.
Name: www.grovesfamily.co.uk
Served by:
- ns0.gradwell.com
193.111.200.7
grovesfamily.co.uk
- ns1.gradwell.net
212.87.85.113
grovesfamily.co.uk
- ns2.gradwell.net
216.218.195.243
grovesfamily.co.uk
- dns01.groves-itc.com

grovesfamily.co.uk


With debug:
set debug
www.grovesfamily.co.uk
Click to expand...
Server: ns0.gradwell.com
Address: 193.111.200.7

DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 1, authority records = 4, additional = 3

QUESTIONS:
www.grovesfamily.co.uk, type = A, class = IN
ANSWERS:
-> www.grovesfamily.co.uk
canonical name = host01.grovesfamily.co.uk
ttl = 3600 (1 hour)
AUTHORITY RECORDS:
-> grovesfamily.co.uk
nameserver = ns0.gradwell.com
ttl = 3600 (1 hour)
-> grovesfamily.co.uk
nameserver = ns1.gradwell.net
ttl = 3600 (1 hour)
-> grovesfamily.co.uk
nameserver = ns2.gradwell.net
ttl = 3600 (1 hour)
-> grovesfamily.co.uk
nameserver = dns01.groves-itc.com
ttl = 3600 (1 hour)
ADDITIONAL RECORDS:
-> ns0.gradwell.com
internet address = 193.111.200.7
ttl = 86400 (1 day)
-> ns1.gradwell.net
internet address = 212.87.85.113
ttl = 86400 (1 day)
-> ns2.gradwell.net
internet address = 216.218.195.243
ttl = 86400 (1 day)

------------
Name: www.grovesfamily.co.uk
Served by:
- ns0.gradwell.com
193.111.200.7
grovesfamily.co.uk
- ns1.gradwell.net
212.87.85.113
grovesfamily.co.uk
- ns2.gradwell.net
216.218.195.243
grovesfamily.co.uk
- dns01.groves-itc.com

grovesfamily.co.uk



Using Will Stacey's NetDig shows the record being returned:

C:\Program Files\Windows Resource Kits\Tools>netdig -i
Default Server: said:
server ns0.gradwell.com
www.grovesfamily.co.uk
Click to expand...

opcode: Query, status: NOERROR, id: 23
flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3

QUESTION SECTION:
www.grovesfamily.co.uk. IN A

ANSWER SECTION:
www.grovesfamily.co.uk. 3600 IN CNAME host01.grovesfamily.co.uk.

AUTHORITY SECTION:
grovesfamily.co.uk. 3600 IN NS ns0.gradwell.com.
grovesfamily.co.uk. 3600 IN NS ns1.gradwell.net.
grovesfamily.co.uk. 3600 IN NS ns2.gradwell.net.
grovesfamily.co.uk. 3600 IN NS dns01.groves-itc.com.

ADDITIONAL SECTION:
ns0.gradwell.com. 86400 IN A 193.111.200.7
ns1.gradwell.net. 86400 IN A 212.87.85.113
ns2.gradwell.net. 86400 IN A 216.218.195.243

Query time: 125 ms
Server : 193.111.200.7:53 udp (193.111.200.7)
When : 14/10/2005 12:37:33
Size rcvd : 218


I am told by my penguin loving friends that querying under various flavours
of Linux works fine.

Until I used nslookup with debug set, and NetDig, I was giving the support
dept of the host a really hard time over cname's not resolving.




--


MattG
MCP (Windows XP)
MCP (Windows Server 2003)
 
R

Ron Lowe

<thinking aloud and not too clearly at that>

Is this a problem with recursion?
ie Gradwell's server is being asked for a recursive lookup but it's not
permitting it, wheras my local DNS is happy ro recurse around untill it
finds the answer?

The initial query returns only the answer:
ANSWER SECTION:
www.grovesfamily.co.uk. 3600 IN CNAME host01.grovesfamily.co.uk.
Click to expand...

Perhaps NSLOOKUP was looking for an A-record also?

Perhaps when I looked up against my local 2003 server, it was a bit more
helpfull, and did some recursion till it got the A-record too?

We'd really need to use ethereal to see.
 
R

Ron Lowe

MattG said:
I am having problems querying the djbdns servers that are hosting secondary
zones of my Windows Server 2003 (non-AD int) hosted primary zone(s).

nslookup fails to return a cname record unless the debug option has been
set:

Without debug:

Default Server: ns0.gradwell.com
Address: 193.111.200.7

Server: ns0.gradwell.com
Address: 193.111.200.7

DNS request timed out.
timeout was 2 seconds.
Name: www.grovesfamily.co.uk
Served by:
- ns0.gradwell.com
193.111.200.7
grovesfamily.co.uk
- ns1.gradwell.net
212.87.85.113
grovesfamily.co.uk
- ns2.gradwell.net
216.218.195.243
grovesfamily.co.uk
- dns01.groves-itc.com

grovesfamily.co.uk


With debug:

Server: ns0.gradwell.com
Address: 193.111.200.7

DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 1, authority records = 4, additional =
3

QUESTIONS:
www.grovesfamily.co.uk, type = A, class = IN
ANSWERS:
-> www.grovesfamily.co.uk
canonical name = host01.grovesfamily.co.uk
ttl = 3600 (1 hour)
AUTHORITY RECORDS:
-> grovesfamily.co.uk
nameserver = ns0.gradwell.com
ttl = 3600 (1 hour)
-> grovesfamily.co.uk
nameserver = ns1.gradwell.net
ttl = 3600 (1 hour)
-> grovesfamily.co.uk
nameserver = ns2.gradwell.net
ttl = 3600 (1 hour)
-> grovesfamily.co.uk
nameserver = dns01.groves-itc.com
ttl = 3600 (1 hour)
ADDITIONAL RECORDS:
-> ns0.gradwell.com
internet address = 193.111.200.7
ttl = 86400 (1 day)
-> ns1.gradwell.net
internet address = 212.87.85.113
ttl = 86400 (1 day)
-> ns2.gradwell.net
internet address = 216.218.195.243
ttl = 86400 (1 day)

------------
Name: www.grovesfamily.co.uk
Served by:
- ns0.gradwell.com
193.111.200.7
grovesfamily.co.uk
- ns1.gradwell.net
212.87.85.113
grovesfamily.co.uk
- ns2.gradwell.net
216.218.195.243
grovesfamily.co.uk
- dns01.groves-itc.com

grovesfamily.co.uk



Using Will Stacey's NetDig shows the record being returned:

C:\Program Files\Windows Resource Kits\Tools>netdig -i


opcode: Query, status: NOERROR, id: 23
flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3

QUESTION SECTION:
www.grovesfamily.co.uk. IN A

ANSWER SECTION:
www.grovesfamily.co.uk. 3600 IN CNAME host01.grovesfamily.co.uk.

AUTHORITY SECTION:
grovesfamily.co.uk. 3600 IN NS ns0.gradwell.com.
grovesfamily.co.uk. 3600 IN NS ns1.gradwell.net.
grovesfamily.co.uk. 3600 IN NS ns2.gradwell.net.
grovesfamily.co.uk. 3600 IN NS dns01.groves-itc.com.

ADDITIONAL SECTION:
ns0.gradwell.com. 86400 IN A 193.111.200.7
ns1.gradwell.net. 86400 IN A 212.87.85.113
ns2.gradwell.net. 86400 IN A 216.218.195.243

Query time: 125 ms
Server : 193.111.200.7:53 udp (193.111.200.7)
When : 14/10/2005 12:37:33
Size rcvd : 218


I am told by my penguin loving friends that querying under various
flavours of Linux works fine.

Until I used nslookup with debug set, and NetDig, I was giving the support
dept of the host a really hard time over cname's not resolving.




--


MattG
MCP (Windows XP)
MCP (Windows Server 2003)
Click to expand...


Hmm, I did a couple of tests from an XP client with these results:
First, nslookup your name against my own 2003 server...

C:\Documents and Settings\Ron.HOMENET>nslookup
Default Server: homenetdc02.homenet.local
Address: 81.187.191.78
www.grovesfamily.co.uk
Click to expand...
Server: homenetdc02.homenet.local
Address: 81.187.191.78

Non-authoritative answer:
Name: host01.grovesfamily.co.uk
Address: 62.49.59.245
Aliases: www.grovesfamily.co.uk

So my local 2003 DNS server does the recursive lookup,
reports the CNAME correctly, and nslookup reports it correctly.

Now, if I do the same lookup against Peter's servers, I get the same as you:
server ns0.gradwell.com
Click to expand...
Default Server: ns0.gradwell.com
Address: 193.111.200.7
www.grovesfamily.co.uk
Click to expand...
Server: ns0.gradwell.com
Address: 193.111.200.7

DNS request timed out.
timeout was 2 seconds.
Name: www.grovesfamily.co.uk
Served by:
- ns0.gradwell.com
193.111.200.7
grovesfamily.co.uk
- ns1.gradwell.net
212.87.85.113
grovesfamily.co.uk
- ns2.gradwell.net
216.218.195.243
grovesfamily.co.uk
- dns01.groves-itc.com

grovesfamily.co.uk

So is it the case that NSLOOKUP can't correctly handle the CNAME response
from an authoritative server, but can from a recursive resolver? So I try
creating a CNAME record on my local DNS server, and look up that...

I have an 'A' record for my hardware firewall, called
'firebrick.homenet.local'.
I added a CNAME of 'firewall' to point to the same thing.
Then I tried to NSLOOKUP the alias:

C:\Documents and Settings\Ron.HOMENET>nslookup
Default Server: homenetdc02.homenet.local
Address: 81.187.191.78
firewall
Click to expand...
Server: homenetdc02.homenet.local
Address: 81.187.191.78

Name: firebrick.homenet.local
Address: 217.169.0.1
Aliases: firewall.homenet.local

This works just fine.

There must be something in the way Peter's servers are responding which
NSLOOKUP does not like. I can't see what the actual incompatability is,
though. Whatever it is, it does not stop the name resolving for actual
clients, so it's less of an issue that it might appear.

I'm going to poke a bit more with ethereal, and see what I can see.
 
M

MattG

There must be something in the way Peter's servers are responding which
NSLOOKUP does not like. I can't see what the actual incompatability is,
though. Whatever it is, it does not stop the name resolving for actual
clients, so it's less of an issue that it might appear.

I'm going to poke a bit more with ethereal, and see what I can see.
Click to expand...

Ron,

I too have been capturing the packets!

[background info: I have DNS on my 2 DC's running the AD zone, std primary's
(eg; grovesfamily.co.uk), stub (for delegated AD child) and caching internet
lookups, the server hosting the public facing zones (eg; grovesfamily.co.uk)
is separate as the records need to be different from the ones in the
'private' zones as I can't get to my public IP from inside the firewall and
I'm not keen on exposing my DC's to queries from the internet!]

Comparing the data (captured with Netmon 2.1) my local DNS servers give more
information in the answer section, 2 resource records, the second one be the
A.
Querying the Windows box that hosts the zone also gives me the A response
after the CNAME, and I have disabled recursion on this server!

I would guess the responses from the gradwell servers aren't going to be
problematic as the DNS client would just have to perform a second lookup on
the answer it gets from the first query. Not too disimilair from the case of
not having glue...

It's just odd that nslookup doesn't display a cname answer unless it get's
the A aswell (as it appears to be doing)...


m@
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Loosing entries 2
TLD resource records not usable 9
Am I missing something here?? 3
Windows 2003 R2 SP2 DNS Event ID 3000 2
NS entries not changing, Authority Records Blank 7
DNS timeout /netdiag error 11
Server 2000, Dns not replicating to root servers, 1
Problem with a basic Winidows server 2003 BIND configuration 3

Top