0

I'm having a problem trying to look up a certain DNS name on the internet. For some reason I keep facing a SERVFAIL thought the correct result is displayed - like the DNS name is being resolved twice (external/local?).

I have no trouble looking up anything else, but this single DNS name gives me a headache. Other servers within my farm do lookups fine on this domain.

Let me give you some informations.

OS: Ubuntu 14 (with bind9 installed)

/etc/resolv.conf:

nameserver 208.67.222.222 # opendns
nameserver 127.0.0.1

The faulty lookup:

# host whois.verisign-grs.com
whois.verisign-grs.com has address 199.7.48.74
whois.verisign-grs.com has IPv6 address 2001:503:5419:1000::74
Host whois.verisign-grs.com not found: 2(SERVFAIL)

If i did not have the opendns entry in my resolv.conf, the error would either be a timeout (usually the first answer) or the SERVFAIL.

Could the local lookup tools be broken, or could it happen that my DNS lookups are blocked on some level?

SteffenNielsen
  • 477
  • 4
  • 15

1 Answers1

2

host seems to query each of nameserver entries in resolv.conf in the order. That's maybe why you got an answer and then a SERVFAIL status when it request your local DNS server.

To avoid that behavior, specify the server you want to query:

server is an optional argument which is either the name or IP address of the name server that host should query instead of the server or servers listed in /etc/resolv.conf.

host whois.verisign-grs.com 208.67.222.222

Don't forget that resolv.conf is not a configuration file of BIND but of your machine to know to which server DNS request will be forwarded.

If you want to make your own BIND server answer even if it doesn't own the records, set some forwarders.

I tried and had the same issue with my BIND server:

dig @0 whois.verisign-grs.com gave me a SERVFAIL status.

dig @208.67.222.222 whois.verisign-grs.com an answer.

Flush your DNS cache:

sudo rndc flush

Then request again:

dig @0 whois.verisign-grs.com +short
199.7.59.74
Nabil Bourenane
  • 775
  • 4
  • 11
  • Thank you for your suggestion, but the SERVFAIL is still there after flushing. Do you have any other suggestions? – SteffenNielsen Apr 27 '15 at 06:54
  • Do you have forwarders ? Comment "nameserver 208.67.222.222" in resolv.conf and set "208.67.222.222" in your forwarders clause (named.conf.options) @SteffenNielsen . – Nabil Bourenane Apr 27 '15 at 12:14
  • Thank you. This seemed to do the trick. The host command is no longer returning the annoying SERVFAIL error. Using forwarders, does this mean, that every request (that is not cached) will be sent to opendns (in this case)? – SteffenNielsen Apr 28 '15 at 13:06
  • @SteffenNielsen Every request that your BIND server can't answer will be forwarded, yes. – Nabil Bourenane Apr 28 '15 at 13:58