Medibuntu

medibuntu.org DNS resolution issues

Asked by Ian McMichael

Since the Ubuntu 8.10 kernel updates last week, when I rebooted my server and hence cleared my bind cache, I've been unable to resolve names in the medibuntu.org domain. This includes www.medibuntu.org and packages.medibuntu.org.

To diagnose this I've run the following commands on the DNS server:

# dig org. NS

; <<>> DiG 9.5.0-P2 <<>> org. NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50640
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;org. IN NS

;; ANSWER SECTION:
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS c0.org.afilias-nst.info.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS b0.org.afilias-nst.org.

;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 10 17:26:32 2009
;; MSG SIZE rcvd: 159

# dig @a0.org.afilias-nst.info medibuntu.org NS

; <<>> DiG 9.5.0-P2 <<>> @a0.org.afilias-nst.info medibuntu.org NS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9340
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;medibuntu.org. IN NS

;; AUTHORITY SECTION:
medibuntu.org. 86400 IN NS ns.cekmedia.de.
medibuntu.org. 86400 IN NS dns.dunnewind.net.

;; Query time: 152 msec
;; SERVER: 199.19.56.1#53(199.19.56.1)
;; WHEN: Tue Feb 10 17:27:31 2009
;; MSG SIZE rcvd: 90

# dig @ns.cekmedia.de www.medibuntu.org A

; <<>> DiG 9.5.0-P2 <<>> @ns.cekmedia.de www.medibuntu.org A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60605
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.medibuntu.org. IN A

;; Query time: 23 msec
;; SERVER: 91.121.71.91#53(91.121.71.91)
;; WHEN: Tue Feb 10 17:31:21 2009
;; MSG SIZE rcvd: 35

# dig @dns.dunnewind.net www.medibuntu.org A
dig: couldn't get address for 'dns.dunnewind.net': not found

# dig net. NS

; <<>> DiG 9.5.0-P2 <<>> net. NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60996
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;net. IN NS

;; ANSWER SECTION:
net. 172343 IN NS a.gtld-servers.net.
net. 172343 IN NS i.gtld-servers.net.
net. 172343 IN NS e.gtld-servers.net.
net. 172343 IN NS d.gtld-servers.net.
net. 172343 IN NS b.gtld-servers.net.
net. 172343 IN NS j.gtld-servers.net.
net. 172343 IN NS f.gtld-servers.net.
net. 172343 IN NS l.gtld-servers.net.
net. 172343 IN NS g.gtld-servers.net.
net. 172343 IN NS k.gtld-servers.net.
net. 172343 IN NS h.gtld-servers.net.
net. 172343 IN NS m.gtld-servers.net.
net. 172343 IN NS c.gtld-servers.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 10 17:33:41 2009
;; MSG SIZE rcvd: 242

# dig @a.gtld-servers.net dunnewind.net NS

; <<>> DiG 9.5.0-P2 <<>> @a.gtld-servers.net dunnewind.net NS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41300
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dunnewind.net. IN NS

;; ANSWER SECTION:
dunnewind.net. 172800 IN NS dunnewind.net.
dunnewind.net. 172800 IN NS ns6.gandi.net.

;; ADDITIONAL SECTION:
dunnewind.net. 172800 IN A 88.191.82.11
ns6.gandi.net. 172800 IN A 217.70.177.40

;; Query time: 183 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Feb 10 17:34:17 2009
;; MSG SIZE rcvd: 101

# dig @dunnewind.net dns.dunnewind.net A
dig: couldn't get address for 'dunnewind.net': not found

# dig @88.191.82.11 dns.dunnewind.net A

; <<>> DiG 9.5.0-P2 <<>> @88.191.82.11 dns.dunnewind.net A
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

# dig @ns6.gandi.net dns.dunnewind.net A

; <<>> DiG 9.5.0-P2 <<>> @ns6.gandi.net dns.dunnewind.net A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53825
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dns.dunnewind.net. IN A

;; Query time: 40 msec
;; SERVER: 217.70.177.40#53(217.70.177.40)
;; WHEN: Tue Feb 10 17:37:49 2009
;; MSG SIZE rcvd: 35

So, from what I've found by manually following the recursion path suggests there are a couple of problems. ns.cekmedia.de no longer appears to hold a valid zone file for medibuntu.org as it is trying to recurse against its own rules. Additionally, the dunnewind.net domain cannot be contacted because its DNS server is no longer reachable on 88.191.82.11 and ns6.gandi.net does not hold a valid zone file for it.

Unless I've missed something in my diagnosis everyone will experience these issues once their caches expire. Could someone with ownership of the medibuntu.org and dunnewind.net domains take a look?

Thanks in advance,

Ian.

Question information

Language:
English Edit question
Status:
Solved
For:
Medibuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Maxence DUNNEWIND
Solved:
Last query:
Last reply:
Revision history for this message
Ian McMichael (ian-sigma-uk) said : 		#1

As I've not heard anything and still cannot resolve medibuntu.org, I collected some packet traces from various systems. The problems with no valid zone files on ns.cekmedia.de and ns6.gandi.net still seem to persist. However, I've discovered that port 53 traffic to/from dunnewind.net (88.191.82.11) is being filtered for certain hosts.

As dunnewind.net is the only current source of the medibuntu.org domain information this is causing the issues I describe. Although I can ping 88.191.82.11 from all systems, some receive no reply (3x retry at 5 second intervals) to DNS queries on UDP port 53 and others receive valid replies immediately.

Is there a firewall running on 88.191.82.11? Are there some over zealous rules on UDP port 53 traffic? Why are the secondaries for medibunti.org and dunnewind.net not answering from their zone files at present? Have they had transfer issues and dropped the stale data?

If it's of assistance I could provide commercial domain hosting for medibuntu.org on 2 x UK and 1 x US servers. Sadly they don't currently offer IPv6 connectivity but at least we'd all be able to get to the medibuntu repositories!

Please get in touch if I can assist any further...

Ian.

Revision history for this message
Maxence DUNNEWIND (maxenced) said : 		#2

Hi,
first of all, regarding your first pastes, I can see that your dig finds dns.dunnewind.net and ns6.gandi.net, which is the old config. We had some problems with this old config. A new one has been set up some weeks ago. Now you should get :

From my point of view, what you should get now for a dig NS medibuntu.org is similar to :
;; ANSWER SECTION:
medibuntu.org. 1655 IN NS ns.cekmedia.de.
medibuntu.org. 1655 IN NS rennes1.dunnewind.net.
medibuntu.org. 1655 IN NS dunnewind.net.

;; ADDITIONAL SECTION:
ns.cekmedia.de. 5018 IN A 91.121.71.91
dunnewind.net. 6970 IN A 88.191.82.11
rennes1.dunnewind.net. 6970 IN A 86.65.39.14

Anyway, the master servers for org. aren't updated ...

I'll take a look on that asap.
Thanks for your report.

Cheers,

Maxence

Revision history for this message
Best Maxence DUNNEWIND (maxenced) said : 		#3

Ok,

we got some error in the registrar + 1 slave config. All is ok now. That should help :)

Cheers,

Maxence

Revision history for this message
Ian McMichael (ian-sigma-uk) said : 		#4

Hi Maxence,

Thanks for sorting out ns.cekmedia.de, which is now answering with authority for medibuntu.org and I can once again resolve names in the domain. However, there are still a couple of configuration issues. The host at 88.191.82.11 (dunnewind.net) still ignores UDP port 53 traffic and hence DNS queries from some hosts.

A WHOIS lookup at present still shows an incorrect list of nameservers for the medibuntu.org domain and hence the answers given by the org servers is still incorrect:

Domain ID:D141004650-LROR
Domain Name:MEDIBUNTU.ORG
Created On:06-Mar-2007 09:24:16 UTC
Last Updated On:07-Feb-2009 18:59:22 UTC
Expiration Date:06-Mar-2009 09:24:16 UTC
Sponsoring Registrar:OVH SARL (R135-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:ovh498dda04dtrm
Registrant Name:Kramer Claus E.
Registrant Organization:CEK Media Service
Registrant Street1:Seestrasse 8
Registrant Street2:
Registrant Street3:
Registrant City:Aichwald
Registrant State/Province:
Registrant Postal Code:73773
Registrant Country:DE
Registrant Phone:+49.7118064154
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:<email address hidden>
Admin ID:ovh498dda04qcof
Admin Name:Kraemer Claus E.
Admin Organization:CEK Media Service
Admin Street1:Seestr. 8
Admin Street2:
Admin Street3:
Admin City:Aichwald
Admin State/Province:
Admin Postal Code:73773
Admin Country:DE
Admin Phone:+49.7118064154
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:<email address hidden>
Tech ID:ovh498dda04qcof
Tech Name:Kraemer Claus E.
Tech Organization:CEK Media Service
Tech Street1:Seestr. 8
Tech Street2:
Tech Street3:
Tech City:Aichwald
Tech State/Province:
Tech Postal Code:73773
Tech Country:DE
Tech Phone:+49.7118064154
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:<email address hidden>
Name Server:NS.CEKMEDIA.DE
Name Server:DNS.DUNNEWIND.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:

In theory a mail to <email address hidden> (unless of course that's you) should be able to resolve the issue and get the domain registration updated with the correct NS entries.

Thanks,

Ian.

Revision history for this message
Maxence DUNNEWIND (maxenced) said : 		#5

Hi,

The configuration has been changed in the config interface this morning, but the config may be updated later. If tomorrow there is no more result, I'll ask the guy who registered the domain.

For dunnewind.net, I'll take a look asap.

Cheers,

Maxence

Revision history for this message
Ian McMichael (ian-sigma-uk) said : 		#6

Hi Maxence,

Thanks, I'll keep an eye on it. I didn't mean to disturb you too much from your studies. It would be good to get all the nameservers accessible so that if any of them go off-line again the redundancy of DNS works and names continue to resolve.

If I can assist in any way please don't hesitate to contact me...

Cheers,

Ian.

Revision history for this message
Ian McMichael (ian-sigma-uk) said : 		#7

Thanks Maxence DUNNEWIND, that solved my question.

Revision history for this message
Maxence DUNNEWIND (maxenced) said : 		#8

Hi,

thanks to take care of me :)
Anyway : I'm trying to understand why the whois (and the root servers for org.) isn't updated.
About dunnewind.net issues, I can't reproduce it (I tried dig @88.191.82.11 dunnewind.net A on 12 computers, ~ 15 times per computer, no bad results :/)
Moreover, bind logs doesn't contain anything useful.
I'll add informations when this will be solved.

Cheers,

Maxence

Revision history for this message
Maxence DUNNEWIND (maxenced) said : 		#9

ok ok ...
So :
- the org. root servers are now up-to-date \o/
- The whois of medibuntu.org is still bad. Anyway, I'll wait some more hours to let dns propagate.
- I'm still not able to reproduce your request issues on dunnewind.net. Btw, do you have any ipv6 support ? I'm not sure but that could be a problem.

Cheers,

Maxence

Revision history for this message
Maxence DUNNEWIND (maxenced) said : 		#10

Last news :

- the whois is updated
- I removed AAAA record on dunnewind.net and moved it to v6.dunnewind.net, to avoid dns resolution to use it at the moment.
- I added another secondary server, which need to be updated (this night, 2h45 GMT+1).
- all roots domains are updated correctly (for both dunnewind.net and medibuntu.org)

I don't see what I can do after that ...

Anyway, thanks for your report / help which help me to solve some undetected dns issues !

Maxence

Revision history for this message
Ian McMichael (ian-sigma-uk) said : 		#11

Thanks very much for all the updates. I can now see four nameserver records in the domain registration and the .org nameservers are giving these out correctly.

Although my system does not have IPv6 support at present I still cannot reach 88.191.82.11 on UDP port 53. This is no longer a major issue as I have another three nameservers to choose from. I'll drop you a message off-line with some details of the system and if you have time we can run some tests.

Cheers,

Ian.