[afnog] Resolver issues

Michuki Mwangi michuki at swiftkenya.com
Mon Apr 10 18:10:12 EAT 2006 


Brian Candler wrote:
> 
> I can think of a few possibilities.
> 
> (1) Your machine 'www' isn't able to resolve ns1.swiftkenya.com, which it
> has to do before it can send a packet there. To eliminate this possibility,
> try
> 
> www# dig @80.240.192.7 kenic.or.ke. ns
> 
> instead.
>

similar results;

www# dig @80.240.192.7 kenic.or.ke ns

; <<>> DiG 9.3.1 <<>> @80.240.192.7 kenic.or.ke ns
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached



> (2) Networking. The UDP packet from your 'www' server to ns1.swiftkenya.com
> isn't getting there, or the response isn't getting back. I'd use tcpdump to
> check this. On the www server, run
> 
>    tcpdump -i eth0 -n -s1500 -X host 80.240.192.7
> 

Interesting results i have on my end as follows when i run the dig query 
as above or with the name ns1.swiftkenya.com;

It seems like am getting the response but its being dumped by my tcp 
stack no?

www# tcpdump -i em0 -n -s1500 -X host 80.240.192.7
tcpdump: listening on em0
17:40:04.835552 198.32.67.18.2926 > 80.240.192.7.53:  63652+ NS? 
kenic.or.ke. (29)
0x0000   4500 0039 1f84 0000 4011 4106 c620 4312        E..9.... at .A...C.
0x0010   50f0 c007 0b6e 0035 0025 1a61 f8a4 0100        P....n.5.%.a....
0x0020   0001 0000 0000 0000 056b 656e 6963 026f        .........kenic.o
0x0030   7202 6b65 0000 0200 01                         r.ke.....
17:40:04.856981 80.240.192.7.53 > 198.32.67.18.2926:  63652*- 3/0/3 NS 
ns1.swiftkenya.com., NS ns2.swiftkenya.com., NS ole.kenic.or.ke. (145) (DF)
0x0000   4500 00ad 0000 4000 3b11 2516 50f0 c007        E..... at .;.%.P...
0x0010   c620 4312 0035 0b6e 0099 6a3f f8a4 8500        ..C..5.n..j?....
0x0020   0001 0003 0000 0003 056b 656e 6963 026f        .........kenic.o
0x0030   7202 6b65 0000 0200 01c0 0c00 0200 0100        r.ke............
0x0040   0096 0000 1403 6e73 310a 7377 6966 746b        ......ns1.swiftk
0x0050   656e 7961 0363 6f6d 00c0 0c00 0200 0100        enya.com........
0x0060   0096 0000 0603 6e73 32c0 2dc0 0c00 0200        ......ns2.-.....
0x0070   0100 0096 0000 0603 6f6c 65c0 0cc0 2900        ........ole...).
0x0080   0100 0100 0151 8000 0450 f0c0 07c0 4900        .....Q...P....I.
0x0090   0100 0100 0151 8000 04c1 dbc6 0ac0 5b00        .....Q........[.
0x00a0   0100 0100 0096 0000 04c6 2043 13               ...........C.
17:40:09.836618 198.32.67.18.2926 > 80.240.192.7.53:  63652+ NS? 
kenic.or.ke. (29)
0x0000   4500 0039 1f96 0000 4011 40f4 c620 4312        E..9.... at .@...C.
0x0010   50f0 c007 0b6e 0035 0025 1a61 f8a4 0100        P....n.5.%.a....
0x0020   0001 0000 0000 0000 056b 656e 6963 026f        .........kenic.o
0x0030   7202 6b65 0000 0200 01                         r.ke.....
17:40:09.864701 80.240.192.7.53 > 198.32.67.18.2926:  63652*- 3/0/3 NS 
ole.kenic.or.ke., NS ns1.swiftkenya.com., NS ns2.swiftkenya.com. (145) (DF)
0x0000   4500 00ad 0000 4000 3b11 2516 50f0 c007        E..... at .;.%.P...
0x0010   c620 4312 0035 0b6e 0099 663f f8a4 8500        ..C..5.n..f?....
0x0020   0001 0003 0000 0003 056b 656e 6963 026f        .........kenic.o
0x0030   7202 6b65 0000 0200 01c0 0c00 0200 0100        r.ke............
0x0040   0096 0000 0603 6f6c 65c0 0cc0 0c00 0200        ......ole.......
0x0050   0100 0096 0000 1403 6e73 310a 7377 6966        ........ns1.swif
0x0060   746b 656e 7961 0363 6f6d 00c0 0c00 0200        tkenya.com......
0x0070   0100 0096 0000 0603 6e73 32c0 3fc0 3b00        ........ns2.?.;.
0x0080   0100 0100 0151 8000 0450 f0c0 07c0 5b00        .....Q...P....[.
0x0090   0100 0100 0151 8000 04c1 dbc6 0ac0 2900        .....Q........).
0x00a0   0100 0100 0096 0000 04c6 2043 13               ...........C.
17:40:14.846687 198.32.67.18.2926 > 80.240.192.7.53:  63652+ NS? 
kenic.or.ke. (29)
0x0000   4500 0039 1fa8 0000 4011 40e2 c620 4312        E..9.... at .@...C.
0x0010   50f0 c007 0b6e 0035 0025 1a61 f8a4 0100        P....n.5.%.a....
0x0020   0001 0000 0000 0000 056b 656e 6963 026f        .........kenic.o
0x0030   7202 6b65 0000 0200 01                         r.ke.....
17:40:14.867463 80.240.192.7.53 > 198.32.67.18.2926:  63652*- 3/0/3 NS 
ns1.swiftkenya.com., NS ns2.swiftkenya.com., NS ole.kenic.or.ke. (145) (DF)
0x0000   4500 00ad 0000 4000 3b11 2516 50f0 c007        E..... at .;.%.P...
0x0010   c620 4312 0035 0b6e 0099 6a3f f8a4 8500        ..C..5.n..j?....
0x0020   0001 0003 0000 0003 056b 656e 6963 026f        .........kenic.o
0x0030   7202 6b65 0000 0200 01c0 0c00 0200 0100        r.ke............
0x0040   0096 0000 1403 6e73 310a 7377 6966 746b        ......ns1.swiftk
0x0050   656e 7961 0363 6f6d 00c0 0c00 0200 0100        enya.com........
0x0060   0096 0000 0603 6e73 32c0 2dc0 0c00 0200        ......ns2.-.....
0x0070   0100 0096 0000 0603 6f6c 65c0 0cc0 2900        ........ole...).
0x0080   0100 0100 0151 8000 0450 f0c0 07c0 4900        .....Q...P....I.
0x0090   0100 0100 0151 8000 04c1 dbc6 0ac0 5b00        .....Q........[.
0x00a0   0100 0100 0096 0000 04c6 2043 13               ...........C.
^C


> and on 80.240.192.7, run
> 
>    tcpdump -i eth0 -n -s1500 -X host x.x.x.x
> 
> where x.x.x.x is the IP address of server 'www'
> 
> Maybe some packet filters have been applied somewhere which are blocking UDP
> port 53. Talk to your networking people. Also, look for "ICMP
> administratively prohibited" packets in the tcpdump. If you see them, the
> source IP address will tell you which router is blocking the packets.
>



> (3) Something to do with your multi-views config on ns1.swiftkenya.com,
> which means that it will accept queries from itself but not from x.x.x.x
>

The resolution seems to be affecting all my registrars. 
ns1.swiftkenya.com is one of the authoritative hosts for one of my 
registrars and the same is being replicated across others as well.

>> ;; Received 420 bytes from 198.32.67.19#53(198.32.67.19) in 2 ms
>>
>> ;; connection timed out; no servers could be reached
> 
> Strange. Does look like DNS has been blocked somehow.
>

I do run IPFW on the box but this has not been a problem in the past so 
i have not disabled the rules yet. I will run a test with the IPFW off 
to see what happens.

>> 16:53:52.905281 www.1679 > ole.domain: [bad udp cksum a373!]  52691+ A? 
>> H.ROOT-SERVERS.NET. (36) (ttl 64, id 4094, len 64)
> 
> Aha. That's *very* suspicious. UDP packets with bad checksums will be
> silently dropped by your TCP stack. This is a very strange and rare
> occurrence.
>

I seem to be convinced that this could be the cause, having changed the 
Switch port does not resolve this, so it could be the NIC :(

> Using tcpdump at both ends of the connection, or on a third machine hanging
> off a hub (not switch) in between, you can work out whether the packet has
> been sent with a bad checksum, or was corrupted in transit, or received with
> a bad checksum.
>

If i run tcpdump between to boxes i the checksum on one end is fine but 
on reaching www its not ok. I want to try a couple of things including 
changing the patch cord to see if that could be it before working on the 
NIC.

> As for what's corrupting it, I would first suspect the NIC in your host
> 'www', and the ethernet switch or switch port it is uplinked to. It seems
> too consistent to be a cabling problem.
> 
> You can plug host 'www' into a different switch port, and swap its NIC.

I have swapped to different switch Port same response.

Different NIC will take time/downtime hence will try offpeak hours.

> 
> If you are using a cheap NE2000-clone NIC, then you deserve everything you
> get :-)

Box is branded Dell with onboard NIC Intel Pro 10/1000 card. Its a shame 
if its the card.


Thanks and regards,

More information about the afnog mailing list