dnscache

I have a weird problem thought I suspect the solution for it quite simple.

I have set-up dnscache along with the supporting tools according to dnscache webpage. Everything seemed to go fine. This is on a freebsd 4.9 box.

The last step says to test it with a:

dnsip www.cnn.com

This works.

So i try another

dnsip www.cs.utk.edu
This does not. With this error
dnsip: fatal: unable to find IP address for www.cs.utk.edu: temporary failure

Now here is the weird part. If I go to my win2000 on the same network(the win2000 is using my isp's nameserver), it resolves.

Then if I go back to my freebsd box, and try

dnsip ww.cs.utk.edu

It works!?! My freebsd box is a brand-new install.

I am confused.

Ask question about my setup if needed, thanks for any help.

Bill

>> I have a weird problem

"temporary failure" is not a problem.

>> I suspect the solution for it quite simple

Yes, just do nothing is simple enough.

>> Yes, just do nothing is simple enough.

Oh well I'm pretty good at doing that. :-)

Why would doing nothing help me in this case? I have read your past posts and your clearly know more about this than I, but I wanted to understand your thinking.

1) Because you did say

2) Network latacy

3) "temporary failure" says it's only temporary

4) dns querying involves both ends

5) over 90% of DNS server on earth are misconfigured in some ways. Especially for the ones that use CNAME all the time

6) you also queried cnn.com without a failure

But it only worked because I pinged ww.cs.utk.edu on my win2000 box. This has happened many times with different addresses.

I guess the freebsd box was picking up the request on the network and adding it to it's cache.

Also, there is a large number of web sites that it can't resolve.

Thanks.

>> there is a large number of web sites that it can't resolve

Then you need to give us far more details on the setup:

1) firewall if any? show us the relevant rulesets
2) the content of /etc/hosts and /etc/resolv.conf
note: dnscache never reads /etc/hosts
3) youre sure BIND is not running?
4) the entire setup and configuraton of your dnscache (including how it starts up)
5) how did you install dnscache? Any patches?
6) what other package of djbdns is running?
7) check your dnscache log for a failure query and post the relevant lines here

<derail>
Hey freebsd, welcome back. Good to see you around again
</derail>

>>Then you need to give us far more details on the setup:

I would be happy to. Thanks alot for your help.

1) firewall if any? show us the relevant rulesets

I am behind a NAT box, I have also put this machine in the dmz zone to bypass any firewall rules. The log files are when the machine was in the dmz.

2) the content of /etc/hosts and /etc/resolv.conf

cat /etc/hosts
::1 localhost
127.0.0.1 localhost
192.168.0.41 spruce

cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.0.41

note: dnscache never reads /etc/hosts

3) youre sure BIND is not running?

It was a brand new standard BSD install, the only thing I have installed has been djb tools include daemontools and ucspi-tcp.

According to his website: http://cr.yp.to/djbdns/install.html

No instance of named running that I can find.

4) the entire setup and configuraton of your dnscache (including how it starts up)

spruce# pwd
/etc/dnscache
spruce# cat run
#!/bin/sh
exec 2>&1
exec <seed
exec envdir ./env sh -c '
exec envuidgid Gdnscache softlimit -o250 -d "$DATALIMIT" /usr/local/bin/dnscache
'
Just the standard install


5) how did you install dnscache? Any patches?

I did NOT use ports. Downloaded everything off his website. Followed his instructions.

6) what other package of djbdns is running?

I am not using tinydns or afxdns(sp?) if that is what you are asking.

7) check your dnscache log for a failure query and post the relevant lines here

Ok here's the yahoo one that works

@400000003fcea8761d002be4 query 3 7f000001:f4e8:1cec 1 www.yahoo.com.
@400000003fcea8761d05ec8c tx 0 1 www.yahoo.com. . 803f0235 8009006b c0702404 c629000a c021040c c00505f1 c6290004 c0cbe60a c0249411 80080a5a c620400c ca0c1b21 c1000e81

@400000003fcea8761f5b1b74 rr 803f0235 1266 cname www.yahoo.com. www.yahoo.akadns.net.
@400000003fcea8761f5e152c cached 1 www.yahoo.akadns.net.


Now www.hardees.com fails. here's the log file:

@400000003fceaab81d5ea37c query 15 7f000001:ffcb:cff7 1 www.hardees.com.

@400000003fceaab81d643544 cached ns com. l.gtld-servers.net.
@400000003fceaab81d665054 cached ns com. m.gtld-servers.net.
.
.
@400000003fceaab81d9dcf5c cached 1 j.gtld-servers.net.
@400000003fceaab81da0770c cached 1 k.gtld-servers.net.
@400000003fceaab81da3b714 tx 0 1 www.hardees.com. com. c00c5e1e c037531e c023331e c0304f1e c034b21e c01f501e c02bac1e c0
29a21e c005061e c01a5c1e c036701e c02a5d1e c0210e1e
@400000003fceaab8232eeb7c lame c00c5e1e com. com.
@400000003fceaab82332102c tx 0 1 www.hardees.com. com. c029a21e c02bac1e c01a5c1e c034b21e c036701e c005061e c01f501e c0
210e1e c037531e c023331e c02a5d1e c0304f1e
@400000003fceaab82b332694 rr c029a21e 144371 1 ns.ckr.com. 3fa86d02
@400000003fceaab82b361494 rr c029a21e 144371 1 ns2.ckr.com. 3fa86d02
@400000003fceaab82b38db84 rr c029a21e 171437 ns hardees.com. ns.ckr.com.
@400000003fceaab82b3b11ec rr c029a21e 171437 ns hardees.com. ns2.ckr.com.
@400000003fceaab82b3d5024 stats 15 3300 1 0
@400000003fceaab82b4045f4 cached 1 ns.ckr.com.
@400000003fceaab82b42de04 cached 1 ns2.ckr.com.
@400000003fceaab82b462dac tx 0 1 www.hardees.com. hardees.com. 3fa86d02 3fa86d02
@400000003fceaab82fc87d94 lame 3fa86d02 hardees.com. com.
@400000003fceaab82fcb15a4 tx 0 1 www.hardees.com. hardees.com. 3fa86d02
@400000003fceaab831a75b6c lame 3fa86d02 hardees.com. hardees.com.
@400000003fceaab831b209cc sent 15 33
@400000003fceaabb3309ecf4 query 16 7f000001:41ee:1e5a 1 www.hardees.com.
@400000003fceaabb330df81c cached ns hardees.com. ns.ckr.com.
@400000003fceaabb3310132c cached ns hardees.com. ns2.ckr.com.
@400000003fceaabb33129b9c cached 1 ns.ckr.com.
@400000003fceaabb331533ac cached 1 ns2.ckr.com.
@400000003fceaabb3318873c tx 0 1 www.hardees.com. hardees.com. 3fa86d02 3fa86d02
@400000003fceaabb357bd754 lame 3fa86d02 hardees.com. com.
@400000003fceaabb357e928c tx 0 1 www.hardees.com. hardees.com. 3fa86d02
@400000003fceaabb37d167e4 lame 3fa86d02 hardees.com. hardees.com.
@400000003fceaabb37d626bc sent 16 33
@400000003fceaad136a5ebec query 17 7f000001:dae2:bb04 1 www.hardees.com.

dnsip: fatal: unable to find IP address for www.hardees.com: timed out


Thanks alot for looking at this, btw what country are you from?

2) Why 127.0.0.1 and 192.168.0.41 in resolv.conf? You only need one and they can't coexist.
4) Can you show us the file and its content in your /etc/dnscache/env dir?
7) When you experience that dnsip error again, please try to use dnsq and dnsqr immediately

>> btw what country are you from?

Northern California

>> Good to see you around again

>2) Why 127.0.0.1 and 192.168.0.41 in resolv.conf? You only need one and they can't coexist.

I tried both ways. Same behavior. Currently I have just 127.0.0.1

>>4) Can you show us the file and its content in your /etc/dnscache/env dir?

%cat CACHESIZE
1000000
%cat DATALIMIT
3000000
%cat IP
127.0.0.1
%cat IPSEND
0.0.0.0
%cat ROOT
/etc/dnscache/root

>>7) When you experience that dnsip error again, please try to use dnsq and dnsqr immediately

%dnsip www.verizon.com
dnsip: fatal: unable to find IP address for www.verizon.com: temporary failure
%dnsqr cname www.verizon.com
5 www.verizon.com:
76 bytes, 1+1+0+0 records, response, noerror
query: 5 www.verizon.com
answer: www.verizon.com 300 CNAME www.verizon.com.edgesuite.net
%dnsq cname www.verizon.com 127.0.0.1
5 www.verizon.com:
timed out

I did another dnsip www.verizon.com with the same previous error.

Again, my thanks for looking at this.

>>Northern California
But in a previous flame war you had about BIND-dnscache I thought you said you were from another country.

4) I forgot to ask for the content in /etc/dnscache/root
The @ file within /etc/dnscache/root/servers is outdated. You need to change yours to:
In /etc/dnscache/root/ip you should have a 0 byte file named "127.0.0.1", no others.

After the modification run the following or equivalent:


If you don't see improvement after doing all that, you can try forward-only and see what happen.
1) echo 1 > /etc/dnscache/env/FORWARDONLY
2) Say 64.81.79.2 is the caching nameserver provided by your ISP:
echo 64.81.79.2 > /etc/dnscache/root/servers/@
3) restart dnscache using svc as shown above

>> %dnsqr cname www.verizon.com

You need to get the IP address of www.verizon.com, so you should use "dnsqr a www.verizon.com" instead. Or if you are unsure, you can replace a with any

Update:
When using forward-only, your /etc/resolv.conf remains unchanged (nameserver 127.0.0.1).

The servers listed in @ were fine.

I only had 127.0.0.1 in /etc/dnscache/root/ip

Restarted as you specified. Same problem.

Then followed forward-only instructions; restarted smae problems.

That was last night. It does seem to be working now though(in the morning) not sure why.

One question, how test to make sure the the answer in authoritative and not cached?

If you didn't get that error consistently then it could possibly be a network problem/setup or firewall other than DNS. I suggested a try on forward-only to isolate the problem but apparently it didn't help.
Have you tried using your ISP nameservers at all? I was thinking that it could be a broken DNS library or a bad built on djbdns itself.
About your other question, use dnsq

%dnsq a www.verizon.com 127.0.0.1
1 www.verizon.com:
timed out
%dnsqr a www.verizon.com
1 www.verizon.com:
137 bytes, 1+4+0+0 records, response, noerror
query: 1 www.verizon.com
answer: www.verizon.com 297 CNAME www.verizon.com.edgesuite.net
answer: www.verizon.com.edgesuite.net 18799 CNAME a1280.g.akamai.net
answer: a1280.g.akamai.net 17 A 207.126.99.36
answer: a1280.g.akamai.net 17 A 207.126.99.29

This is with @ being just my isp dnsserver and FORWARDONLY set.

My latest data. When I put my isp dns server in resolv.conf everything works as expected.

I may try to rebuild dnscache or do a new install of freebsd(i need the practice).

I followed djb instruction previous are their better instructions out there? Should I install via ports?

Thanks.

No, you don't ask 127.0.0.1, you ask one of its authoritative nameservers for it. BTW, verizon.com or any other that uses akamai.net was a bad choice for testing purpose.
devshed.com for instance:

I don't know which guide is better you can try http://www.lifewithdjbdns.org/. About installing via ports, that'd be better because it includes several essential patches. Can you look up that port version in your ports tree?