Re: Reverse DNS problem

North American Network Operators Group

Re: Reverse DNS problem

From: Trent Arsenault
Date: Mon Oct 06 19:12:20 2003

I've been in touch with ARIN on the same issue noticed at a different site.

According to ARIN, some older BIND resolvers aren't handling the referrals that they get back from the gtld-servers for some of ARIN's name servers. The problem started Thursday when ARIN changed the list of NS's for the ARIN in-addr.arpa zones.

ARIN is still investigating and I'm waiting to hear back.

Trent Arsenault
[email protected]

At 05:46 AM 10/6/2003, Schmiedt, Jamie wrote:

We have been experiencing problems with reverse DNS requests since Thursday 10/2/2003. Just wondering if anyone else is seeing this issue? This is affecting freeBSD & Linux hosts with Bind version 8.2.3 & 8.3.3.

Reverse Lookups fail as follows:
host0001$ nslookup
Default Server: host0001.domain123.net
Address: 0.0.0.0
> ccn.com
Server: host0001.domain123.net
Address: 0.0.0.0
Name: ccn.com
Address: 63.172.52.127
> 63.172.52.127
Server: host0001.domain123.net
Address: 0.0.0.0
*** Request to host0001.domain123.net timed-out
>

tcpdump shows this:
16:32:21.864111 123.123.123.123.1024 > 192.12.94.30.53: 6333 A? chia.ARIN.NET. (31)
16:32:21.864298 123.123.123.123.1024 > 192.12.94.30.53: 48444 A? dill.ARIN.NET. (31)
16:32:21.864597 123.123.123.123.1024 > 192.12.94.30.53: 43887 A? henna.ARIN.NET. (32)
16:32:21.864754 123.123.123.123.1024 > 192.12.94.30.53: 13510 A? indigo.ARIN.NET. (33)
16:32:21.864910 123.123.123.123.1024 > 192.12.94.30.53: 6129 A? epazote.ARIN.NET. (34)
16:32:21.865067 123.123.123.123.1024 > 192.12.94.30.53: 61408 A? figwort.ARIN.NET. (34)
16:32:21.865222 123.123.123.123.1024 > 192.12.94.30.53: 38595 A? ginseng.ARIN.NET. (34)
16:32:21.865383 123.123.123.123.1024 > 192.36.148.17.53: 60682 PTR? 127.52.172.63.in-addr.arpa. (46)
16:32:21.932444 192.12.94.30.53 > 123.123.123.123.1024: 48444- 0/7/7 (271) (DF)
16:32:21.941921 192.12.94.30.53 > 123.123.123.123.1024: 6333- 0/7/7 (271) (DF)
16:32:21.951550 192.12.94.30.53 > 123.123.123.123.1024: 43887- 0/7/7 (272) (DF)
16:32:21.961288 192.12.94.30.53 > 123.123.123.123.1024: 13510- 0/7/7 (273) (DF)
16:32:21.970903 192.12.94.30.53 > 123.123.123.123.1024: 6129- 0/7/7 (274) (DF)
16:32:21.980540 192.12.94.30.53 > 123.123.123.123.1024: 61408- 0/7/7 (274) (DF)
16:32:21.990282 192.12.94.30.53 > 123.123.123.123.1024: 38595- 0/7/7 (274) (DF)
16:32:22.016671 192.36.148.17.53 > 123.123.123.123.1024: 60682- 0/7/0 (199) (DF)
16:32:22.017854 123.123.123.123.1024 > 192.54.112.30.53: 46181 A? chia.ARIN.NET. (31)
16:32:22.017883 123.123.123.123.1024 > 192.54.112.30.53: 28356 A? dill.ARIN.NET. (31)
16:32:22.017907 123.123.123.123.1024 > 192.54.112.30.53: 29015 A? henna.ARIN.NET. (32)
16:32:22.017932 123.123.123.123.1024 > 192.54.112.30.53: 39822 A? indigo.ARIN.NET. (33)
16:32:22.017958 123.123.123.123.1024 > 192.54.112.30.53: 25113 A? epazote.ARIN.NET. (34)
16:32:22.017984 123.123.123.123.1024 > 192.54.112.30.53: 7656 A? figwort.ARIN.NET. (34)
16:32:22.018008 123.123.123.123.1024 > 192.54.112.30.53: 53035 A? ginseng.ARIN.NET. (34)
16:32:22.142472 192.54.112.30.53 > 123.123.123.123.1024: 28356- 0/7/7 (271) (DF)
16:32:22.151936 192.54.112.30.53 > 123.123.123.123.1024: 46181- 0/7/7 (271) (DF)
16:32:22.161553 192.54.112.30.53 > 123.123.123.123.1024: 39822- 0/7/7 (273) (DF)
16:32:22.171199 192.54.112.30.53 > 123.123.123.123.1024: 29015- 0/7/7 (272) (DF)
16:32:22.180924 192.54.112.30.53 > 123.123.123.123.1024: 25113- 0/7/7 (274) (DF)
16:32:22.190561 192.54.112.30.53 > 123.123.123.123.1024: 53035- 0/7/7 (274) (DF)
16:32:22.200290 192.54.112.30.53 > 123.123.123.123.1024: 7656- 0/7/7 (274) (DF)
16:32:26.868123 123.123.123.123.1024 > 192.41.162.30.53: 32457 A? chia.ARIN.NET. (31)
16:32:26.868300 123.123.123.123.1024 > 192.41.162.30.53: 65240 A? dill.ARIN.NET. (31)
16:32:26.868452 123.123.123.123.1024 > 192.41.162.30.53: 15332 A? henna.ARIN.NET. (32)
16:32:26.868602 123.123.123.123.1024 > 192.41.162.30.53: 41975 A? indigo.ARIN.NET. (33)
16:32:26.868753 123.123.123.123.1024 > 192.41.162.30.53: 21934 A? epazote.ARIN.NET. (34)
16:32:26.868905 123.123.123.123.1024 > 192.41.162.30.53: 56761 A? figwort.ARIN.NET. (34)
16:32:26.869057 123.123.123.123.1024 > 192.41.162.30.53: 52488 A? ginseng.ARIN.NET. (34)
16:32:26.869208 123.123.123.123.1024 > 198.41.0.4.53: 64459 PTR? 127.52.172.63.in-addr.arpa. (46)
16:32:26.923374 192.41.162.30.53 > 123.123.123.123.1024: 32457- 0/7/7 (271) (DF)
16:32:26.930326 198.41.0.4.53 > 123.123.123.123.1024: 64459- 0/7/0 (199)
16:32:26.931103 123.123.123.123.1024 > 192.52.178.30.53: 45170 A? chia.ARIN.NET. (31)
16:32:26.939982 192.41.162.30.53 > 123.123.123.123.1024: 15332- 0/7/7 (272) (DF)
16:32:26.949578 192.41.162.30.53 > 123.123.123.123.1024: 65240- 0/7/7 (271) (DF)
16:32:26.959220 192.41.162.30.53 > 123.123.123.123.1024: 41975- 0/7/7 (273) (DF)
16:32:26.968842 192.41.162.30.53 > 123.123.123.123.1024: 21934- 0/7/7 (274) (DF)
16:32:26.978581 192.41.162.30.53 > 123.123.123.123.1024: 56761- 0/7/7 (274) (DF)
16:32:26.988220 192.41.162.30.53 > 123.123.123.123.1024: 52488- 0/7/7 (274) (DF)
16:32:27.058851 192.52.178.30.53 > 123.123.123.123.1024: 45170- 0/7/7 (271) (DF)

We can temporarily resolve the problem by issuing the following dig command:

dig @<any ARIN in-addr.arpa server; ginseng, fogwort, etc.> -x <any sequence>
example: host0001# dig @ginseng.arin.net -x abc

Then the reverse lookups being to work and the tcpdump is as follows: (notice the difference in lines 8,9,10,11)
16:33:01.664320 123.123.123.123.1024 > 192.35.51.32.53: 33751 A? chia.ARIN.NET. (31)
16:33:01.664460 123.123.123.123.1024 > 192.35.51.32.53: 11278 A? dill.ARIN.NET. (31)
16:33:01.664573 123.123.123.123.1024 > 192.35.51.32.53: 55449 A? henna.ARIN.NET. (32)
16:33:01.664684 123.123.123.123.1024 > 192.35.51.32.53: 49768 A? indigo.ARIN.NET. (33)
16:33:01.664797 123.123.123.123.1024 > 192.35.51.32.53: 18859 A? epazote.ARIN.NET. (34)
16:33:01.664909 123.123.123.123.1024 > 192.35.51.32.53: 40146 A? figwort.ARIN.NET. (34)
16:33:01.665002 123.123.123.123.1024 > 192.33.14.32.53: 62349 PTR? 127.52.172.63.in-addr.arpa. (46)
16:33:01.725238 192.35.51.32.53 > 123.123.123.123.1024: 33751*- 1/8/8 A 192.5.6.32 (320) (DF)
16:33:01.736288 192.35.51.32.53 > 123.123.123.123.1024: 11278*- 1/8/8 A 192.35.51.32 (320) (DF)
16:33:01.747452 192.35.51.32.53 > 123.123.123.123.1024: 55449*- 1/8/8 A 192.26.92.32 (321) (DF)
16:33:01.758663 192.35.51.32.53 > 123.123.123.123.1024: 49768*- 1/8/8 A 192.31.80.32 (322) (DF)
16:33:01.765379 192.33.14.32.53 > 123.123.123.123.1024: 62349- 0/3/0 (134) (DF)
16:33:01.765834 123.123.123.123.1024 > 199.191.128.105.53: 19916 PTR? 127.52.172.63.in-addr.arpa. (46)
16:33:01.776697 192.35.51.32.53 > 123.123.123.123.1024: 18859*- 1/8/8 A 192.41.162.32 (323) (DF)
16:33:01.787806 192.35.51.32.53 > 123.123.123.123.1024: 40146*- 1/8/8 A 192.42.93.32 (323) (DF)
16:33:01.794121 199.191.128.105.53 > 123.123.123.123.1024: 19916*- 1/2/2 (171) (DF)

Restarting named does not help.
These host are located on several different ISP networks.
Forward lookups function properly.

Stumped...

Any help or suggestions would be greatly appreciated. Thanks.

-jamie

References:
- Reverse DNS problem Schmiedt, Jamie

Prev by Date: Re: CCO/cisco.com issues.
Next by Date: Re[2]: CCO/cisco.com issues.
Date Index
Thread Index
Author Index
Historical