1

If I do an nslookup on youtube.com, no problem, if I do one with www.youtube.com, failure. See details below.

[~] nslookup youtube.com

Server: 192.168.1.1

Address: 192.168.1.1#53

Non-authoritative answer:

Name: youtube.com

Address: 74.125.127.93

Name: youtube.com

Address: 74.125.47.93

Name: youtube.com

Address: 74.125.95.93

[~] nslookup www.youtube.com

;; Truncated, retrying in TCP mode.

;; Connection to 192.168.1.1#53(192.168.1.1) for www.youtube.com failed: connection refused.

If I do the same from a Windows machine its fine, its when I do it from a Mac workstation that I get the issue.

I have rebooted, both server and workstation, I did a changeip, but nothing is working.

Any recommendations?

Eric Arseneau
  • 13
  • 3

2 Answers2

3

For some reason the osx workstation is issuing UDP dns requests and the reply was too big to fit into a UDP packet (hence it was truncated). The dns resolver on the osx machine is turning around and trying to issue the same request using tcp (which it should have in the first place). THEN something is preventing the osx machine from contacting the dns server using a tcp socket on port 53. Do a tcpdump and watch for icmp messages, specifically "Administratively blocked" messages which generally are hawked back from a fw or nacl when it blocks a connection.

That would be a start. Also, run dig instead of nslookup.

solid7
  • 159
  • 1
  • dig results in exactly the same result for the www.youtube.com case. – Eric Arseneau Mar 17 '11 at 23:29
  • Oh yeah, if I do a dig +ignore www.youtube.com, it works fine as well. I think it is a UDP packet size issue, but how do I get to the bottom of it :( – Eric Arseneau Mar 17 '11 at 23:41
  • Keep in mind that Directory Services doesn't use the same code `dig` and `nslookup` do, which is the ISC standard way of doing it (that doesn't mean it's the best way, just that that's how it works with ISC's BIND utilities everywhere.) It's probably doing something similar, but not absolutely certain. As to the TCP failure, the OP's router is handling DNS (see the address it's querying: 192.168.1.1) and doesn't support TCP DNS. The fix for that is to override DNS in Control Panel > Internet & Wireless > Network. – geekosaur Mar 17 '11 at 23:47
  • I had the same problem - firewall rules for DNS were allowing UDP but not TCP, and enabling 53/tcp in the firewall fixed the problem - IPv6 was already disabled - nothing to do with that at all in my case. – Screwtape Nov 03 '17 at 12:28
-1

Just turn IPv6 off, it should work then :)

Elliot
  • 16
  • www.youtube.com isn't advertising any IPv6 addresses, how would this help? – sysadmin1138 Apr 04 '11 at 14:21
  • I went to system preferences, Network, and turned off ipv6 and everything works now!!! Thank you I had given up. This is so uncool, I cannot raise the grade on this answer since I dont have enough reputation. This is THE CORRECT ANSWER, ignore the other one. Note I did this on the Mac Mini server. – Eric Arseneau Apr 05 '11 at 04:36