Server tries to resolve domains through itself

Question

From tcpdump:

Sep 12 23:03:43 server named[25095]: error (unexpected RCODE SERVFAIL) resolving 'exitlist.torproject.org.www.mydomain.com/A/IN': ip#53

OS: CentOS 6 resolv.conf

search www.domain.com domain.com
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.8.8

Using Bind with recursion in options off No firewall on Hosts file is normal

ifcfg-em1:
DEVICE="em1"
BOOTPROTO="static"
DNS1="8.8.8.8"
DNS2="8.8.4.4"
DNS3="127.0.0.1"
GATEWAY="edited"
HWADDR="edited"
IPADDR="server_ip"
IPV6INIT="yes"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"


`'
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> google.com. @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57512
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       173.194.78.101
google.com.             300     IN      A       173.194.78.138
google.com.             300     IN      A       173.194.78.139
google.com.             300     IN      A       173.194.78.100
google.com.             300     IN      A       173.194.78.113
google.com.             300     IN      A       173.194.78.102

;; AUTHORITY SECTION:
google.com.             172131  IN      NS      ns2.google.com.
google.com.             172131  IN      NS      ns1.google.com.
google.com.             172131  IN      NS      ns4.google.com.
google.com.             172131  IN      NS      ns3.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         172131  IN      A       216.239.34.10
ns1.google.com.         172131  IN      A       216.239.32.10
ns3.google.com.         172131  IN      A       216.239.36.10
ns4.google.com.         172131  IN      A       216.239.38.10

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 13 00:23:16 2012
;; MSG SIZE  rcvd: 260

p.s. can't even access site with domain anymore.

The question is why is it doing this? I know this isn't normal behavior. I can resolve domain names to IP addresses but I cannot ping domains or IP addreses. I also get constant servfails in tcpdump although people are able to connect to my site and interact with it as usual. — Tar, Sep 13 '12 at 04:24
Well the question does not provide any indication of your environment, can you edit it to provide more detail — topdog, Sep 13 '12 at 04:29
I've edited with some more information.. though I don't know how to format it. — Tar, Sep 13 '12 at 04:32
Drop the two google nameservers from resolv.conf and add them as forwarders in /etc/named.conf instead. — topdog, Sep 13 '12 at 04:37
On your local bind you need to allow recursion for localhost, you don't have recursion enabled that is why the search domain is being appended to fully qualified domains. — topdog, Sep 13 '12 at 04:39
I put part of my named.conf in my question to show that I do have recursion enabled for internal and local resolver — Tar, Sep 13 '12 at 04:42
Why do you have both localhost and the google public DNS servers in resolv.conf? Your problems in both this and your other question seem to revolve around your search suffixes, but I think that's not the whole story. Can you provide the output from `dig google.com. @localhost`? — Shane Madden, Sep 13 '12 at 05:05
And what is the output of `dig exitlist.torproject.org. @8.8.8.8` and `dig exitlist.torproject.org. @localhost`? — Zoredache, Sep 13 '12 at 05:31
Both of them say connection timed out; no servers could be reached — Tar, Sep 13 '12 at 05:41
You outbound connection (UDP port 53) is either being blocked or you have no connectivity to the internet. — topdog, Sep 13 '12 at 06:20
How is that possible? I do `netstat -an | grep ^udp | grep 53` and have listening on both 127.0.0.1:53 and serverip:53 — Tar, Sep 13 '12 at 06:35
It could be that you have an overly-restrictive local firewall? Have you tried clearing out any iptables rules, and setting the policy to ACCEPT? — Zoredache, Sep 14 '12 at 17:20

score 1 · Answer 1 · answered Sep 13 '12 at 05:27

If you are asking why it is trying to resolv exitlist.torproject.org.www.mydomain.com instead of exitlist.torproject.org, then the answer is probably IS trying to resolve exitlist.torproject.org failing and then using the search path you have defined in your resolv.conf in the line search www.domain.com domain.com.

score 1 · Answer 2 · answered Sep 13 '12 at 06:35

It really is hard to know what you're asking but I'll give it a shot. You have 127.0.0.1 set as your first nameserver, so that's what is checked first.

With recursion turned off a DNS request that cannot be authouritatively answered by the localhost will get a SERVFAIL, which is still an answer. That is the end of the story. The other nameservers should not be consulted because you already have an answer. They will only be consulted if 127.0.0.1 fails to respond to the query.

With recursion turned on for the same query the local instance of BIND will recurse and try to get you a valid answer. If the local instance responds in any way the other nameservers will not be consulted.

Server tries to resolve domains through itself

2 Answers2