DNS only resolving external domains 50% of the time.

Questions about cabled networking
Forum rules
Before you post please read how to get help
Post Reply
martinb
Level 1
Level 1
Posts: 2
Joined: Mon Aug 08, 2016 11:11 am

DNS only resolving external domains 50% of the time.

Post by martinb »

Hi

I run a local internal DNS in order to resolve internal hostnames. The DNS is also configured with the following forwarders for none local (internet) name resolution:

named.conf.options:

Code: Select all

options {
        directory "/var/cache/bind";

        // Added zone forwarders (google)

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        // Turn off dnssec validation.  change from auto to no:

        dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
        // listen-on-v6 { any; };
        listen-on-v6 { none; };
};
As also shown above, I have disabled IPv6 and started named using option -4:

Code: Select all

bind     15762     1  0 14:53 ?        00:00:01 /usr/sbin/named -4 -u bind
But I keep seeing the following errors in my syslog:

Code: Select all

Aug  8 14:54:36 astro named[15762]: error (connection refused) resolving 'www.seatme.yelp.com/A/IN': 192.43.172.30#53
Aug  8 14:54:37 astro named[15762]: success resolving 'www.yelp.de.cdn.cloudflare.net/A' (in 'net'?) after disabling EDNS
Aug  8 14:54:37 astro named[15762]: error (connection refused) resolving 'zh.yelp.com.hk/A/IN': 192.5.5.241#53
Aug  8 14:54:38 astro named[15762]: error (connection refused) resolving 'ms.yelp.my/A/IN': 192.203.230.10#53
Aug  8 14:54:39 astro named[15762]: error (connection refused) resolving 'ms.yelp.my/A/IN': 198.97.190.53#53
Aug  8 14:54:40 astro named[15762]: error (connection refused) resolving 'www.seatme.yelp.com/A/IN': 192.35.51.30#53
Aug  8 14:54:42 astro named[15762]: error (connection refused) resolving 'www.yelp-support.com/A/IN': 192.33.14.30#53
Aug  8 14:54:42 astro named[15762]: error (connection refused) resolving 'www.yelp-support.com/A/IN': 192.12.94.30#53
Aug  8 14:54:43 astro named[15762]: error (connection refused) resolving 'www.yelp-support.com/A/IN': 192.48.79.30#53
Aug  8 14:54:44 astro named[15762]: error (connection refused) resolving 'www.yelp.ca/A/IN': 8.8.8.8#53
Aug  8 14:54:46 astro named[15762]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
NOTE: These can be for any domain, not just 'yelp.com'. But when using nslookup both locally on the DNS server or remotely on a client, the DNS is resolved and I don't see the errors:

Code: Select all

nslookup:
> redhat.com
Server:		192.168.0.3
Address:	192.168.0.3#53

Non-authoritative answer:
Name:	redhat.com
Address: 209.132.183.105
> oracle.com
Server:		192.168.0.3
Address:	192.168.0.3#53

Non-authoritative answer:
Name:	oracle.com
Address: 137.254.120.50
> google.com
Server:		192.168.0.3
Address:	192.168.0.3#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.198.174
The problem is only present when I use say a web browser. Then periodically (~50% of the time) external domain names will not resolve and I see the aforementioned errors in the syslog.

Internal name resolution from the local zones is working fine. I have tried using different DNS forwarders, downloaded an up to date db.root and cleaned, reloaded and restarted bind but the problem is still present. Note, I am not using dnsmasq:

Code: Select all

/etc/NetworkManager.conf:
[main]
plugins=ifupdown,keyfile,ofono
# dns=dnsmasq

no-auto-default=00:01:C0:16:FB:DB,

[ifupdown]
managed=false
Please could someone help shed some light on this issue. I'm running:
bind9 ( 1:9.9.5.dfsg-3ubuntu0.8 )
Linux Mint 17.1 (rebecca)
Linux astro 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Regards,
Martin.
Elizine
Level 1
Level 1
Posts: 29
Joined: Wed Feb 10, 2016 11:29 pm

Re: DNS only resolving external domains 50% of the time.

Post by Elizine »

It might be that the hardware firewall might have a user limit. If you add more devices the issue might get worse, wound up doing many nslookups and finally start looking at the firewall.
martinb
Level 1
Level 1
Posts: 2
Joined: Mon Aug 08, 2016 11:11 am

Re: DNS only resolving external domains 50% of the time.

Post by martinb »

Hi Elizine,

Thank you for your hint regarding a potential firewall issue. The Linux Mint DNS server does not have a firewall, but does sit behind a D-Link firewall upstream. When reviewing the firewall settings I found UDP packet flooding protection was enabled. The logs indicated after complaining about the connection being refused that reducing the UDP packet size helped:

Aug 8 14:54:46 astro named[15762]: success resolving './NS' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets

It seems the DNS server is fooling the firewall into believing there is a UDP flood attack. After disabling the UDP flood protection, the errors have gone from the servers syslog and DNS resolution is now working 100% of the time.

Many thanks for your help with this matter and pointing me in the right direction.

Regards,
Martin Button.
Post Reply

Return to “Ethernet”