In the last 6 weeks I have gone from limited knowledge of FreeBSD and BIND DNS (only knew it existed) to asking questions in house that no one knows the answer to about FreeBSD and BIND. So I turn to this forum with my questions. Please excuse any details/info which appears vague or censored as it is a mandatory requirement of the environment.
Question:
I do a dig from my internal BIND DNS server for an Internet FQDN and the dig comes back in ~2000-4000+ msec or it just does not resolve. However if I do a dig from the Internet DNS server, it takes ~5-30 msec to resolve. The firewall for Internet and Closed_Network are same brand and type. DIGs from INTRANET_BIND toward the Closed_Network_BIND result in responses in the range of <1-10 msec. I am unsure where else to look in my config or if I have a misconfiguration somewhere. Any help is welcome and appreciated.
* ICMP is not allowed between the server segment and the Internet DMZ for troubleshooting
Environment brief:
Summary:
Attempting to move toward having all intranet systems point to INTRANET_BIND instead of current DNS solution. Existing solution has Forwarders for INTERNET_BIND_01/02 and Remote_DNS_01/02/03 while also having conditional forwarders for Closed_Network_BIND_01/02. There is a severe difference using the existing solution (fast) and the future solution (slow and spotty) in speed. End/future solution should hopefully handle ~20-24 million queries a day.
Intranet BIND DNS
* Configured as a Forwarder/Cache server
* Forwards internal FQDN to an internal DNS
* Forwards default/Internet DNS queries to the Internet BIND DNS servers
* Forwards specific FQDNs to Closed_Network BIND DNS servers for custom resolution
* /etc/resolv.conf has itself, Internet DNS #1, and Internet DNS #2
* root hints disabled within named.conf
Internet BIND DNS
* Primary and Secondary both configured as Forwarder/Cache
* Forwards everything to ISP's DNS servers
* /etc/resolv.conf has ISP DNS #1 and ISP DNS #2
* root hints enabled within named.conf
Closed_Network BIND DNS
* Primary and secondary both configured as Forwarder/Cache
* Forwards everything to remote DNS servers on closed network
* /etc/resolv.conf has itself, Remote_DNS_01, and Remote_DNS_02
* root hints disabled within named.conf
* Traffic goes out separate circuit from the Internet
Example:
Did a tcpdump on both servers while doing another dig with the following results:
Question:
I do a dig from my internal BIND DNS server for an Internet FQDN and the dig comes back in ~2000-4000+ msec or it just does not resolve. However if I do a dig from the Internet DNS server, it takes ~5-30 msec to resolve. The firewall for Internet and Closed_Network are same brand and type. DIGs from INTRANET_BIND toward the Closed_Network_BIND result in responses in the range of <1-10 msec. I am unsure where else to look in my config or if I have a misconfiguration somewhere. Any help is welcome and appreciated.
* ICMP is not allowed between the server segment and the Internet DMZ for troubleshooting
Environment brief:
Summary:
Attempting to move toward having all intranet systems point to INTRANET_BIND instead of current DNS solution. Existing solution has Forwarders for INTERNET_BIND_01/02 and Remote_DNS_01/02/03 while also having conditional forwarders for Closed_Network_BIND_01/02. There is a severe difference using the existing solution (fast) and the future solution (slow and spotty) in speed. End/future solution should hopefully handle ~20-24 million queries a day.
Intranet BIND DNS
* Configured as a Forwarder/Cache server
* Forwards internal FQDN to an internal DNS
* Forwards default/Internet DNS queries to the Internet BIND DNS servers
* Forwards specific FQDNs to Closed_Network BIND DNS servers for custom resolution
* /etc/resolv.conf has itself, Internet DNS #1, and Internet DNS #2
* root hints disabled within named.conf
Internet BIND DNS
* Primary and Secondary both configured as Forwarder/Cache
* Forwards everything to ISP's DNS servers
* /etc/resolv.conf has ISP DNS #1 and ISP DNS #2
* root hints enabled within named.conf
Closed_Network BIND DNS
* Primary and secondary both configured as Forwarder/Cache
* Forwards everything to remote DNS servers on closed network
* /etc/resolv.conf has itself, Remote_DNS_01, and Remote_DNS_02
* root hints disabled within named.conf
* Traffic goes out separate circuit from the Internet
Example:
Code:
[u]INTRANET_BIND[/u]# dig i.dell.com @10.XXX.XXX.153
; <<>> DiG 9.6.-ESV-R3 <<>> i.dell.com @10.XXX.XXX.153
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63153
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 3
;; QUESTION SECTION:
;i.dell.com. IN A
;; ANSWER SECTION:
i.dell.com. 0 IN CNAME img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net. 0 IN CNAME ccdn-global.dell.com.edgesuite.net.
ccdn-global.dell.com.edgesuite.net. 0 IN CNAME ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net. 0 IN CNAME a1058.g.akamai.net.
a1058.g.akamai.net. 6 IN A 96.17.75.32
a1058.g.akamai.net. 6 IN A 96.17.75.34
;; AUTHORITY SECTION:
. 7786 IN NS i.root-servers.net.
. 7786 IN NS j.root-servers.net.
. 7786 IN NS c.root-servers.net.
. 7786 IN NS h.root-servers.net.
. 7786 IN NS e.root-servers.net.
. 7786 IN NS f.root-servers.net.
. 7786 IN NS a.root-servers.net.
. 7786 IN NS g.root-servers.net.
. 7786 IN NS d.root-servers.net.
. 7786 IN NS l.root-servers.net.
. 7786 IN NS k.root-servers.net.
. 7786 IN NS m.root-servers.net.
. 7786 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 247403 IN A 198.41.0.4
a.root-servers.net. 247734 IN AAAA 2001:503:ba3e::2:30
c.root-servers.net. 318287 IN A 192.33.4.12
;; Query time: 3160 msec
;; SERVER: 10.XXX.XXX.153#53(10.XXX.XXX.153)
;; WHEN: Mon May 9 11:07:56 2011
;; MSG SIZE rcvd: 501
Code:
[u]INTERNET_BIND_01[/u]# dig i.dell.com @68.87.74.162
; <<>> DiG 9.6.-ESV-R3 <<>> i.dell.com @68.87.74.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15209
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;i.dell.com. IN A
;; ANSWER SECTION:
i.dell.com. 0 IN CNAME img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net. 0 IN CNAME ccdn-global.dell.com.edgesuite.net.
ccdn-global.dell.com.edgesuite.net. 0 IN CNAME ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net. 0 IN CNAME a1058.g.akamai.net.
a1058.g.akamai.net. 20 IN A 96.17.146.43
a1058.g.akamai.net. 20 IN A 96.17.146.75
;; Query time: 42 msec
;; SERVER: 68.87.74.162#53(68.87.74.162)
;; WHEN: Mon May 9 11:14:22 2011
;; MSG SIZE rcvd: 233
Did a tcpdump on both servers while doing another dig with the following results:
Code:
INTRANET_BIND# dig i.dell.com @10.XXX.XXX.153
; <<>> DiG 9.6.-ESV-R3 <<>> i.dell.com @10.XXX.XXX.153
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54648
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 3
;; QUESTION SECTION:
;i.dell.com. IN A
;; ANSWER SECTION:
i.dell.com. 0 IN CNAME img.dell-cidr.akadns.net.
img.dell-cidr.akadns.net. 0 IN CNAME ccdn-global.dell.com.edgesuite.net.
ccdn-global.dell.com.edgesuite.net. 0 IN CNAME ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net.
ccdn-global.dell.com.edgesuite.net.globalredir.akadns.net. 0 IN CNAME a1058.g.akamai.net.
a1058.g.akamai.net. 5 IN A 96.17.146.75
a1058.g.akamai.net. 5 IN A 96.17.146.43
;; AUTHORITY SECTION:
. 6777 IN NS e.root-servers.net.
. 6777 IN NS k.root-servers.net.
. 6777 IN NS m.root-servers.net.
. 6777 IN NS g.root-servers.net.
. 6777 IN NS a.root-servers.net.
. 6777 IN NS j.root-servers.net.
. 6777 IN NS l.root-servers.net.
. 6777 IN NS d.root-servers.net.
. 6777 IN NS i.root-servers.net.
. 6777 IN NS h.root-servers.net.
. 6777 IN NS f.root-servers.net.
. 6777 IN NS c.root-servers.net.
. 6777 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 246394 IN A 198.41.0.4
a.root-servers.net. 246725 IN AAAA 2001:503:ba3e::2:30
c.root-servers.net. 317278 IN A 192.33.4.12
;; Query time: 511 msec
;; SERVER: 10.XXX.XXX.153#53(10.XXX.XXX.153)
;; WHEN: Mon May 9 11:24:45 2011
;; MSG SIZE rcvd: 501
Code:
INTRANET_BIND# tcpdump -vv host 10.XXX.XXX.153
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
11:24:35.137716 IP (tos 0x0, ttl 64, id 62859, offset 0, flags [none], proto UDP (17), length 56)
INTRANET_BIND.36467 > INTERNET_BIND_01.domain: [bad udp cksum fcbc!] 54648+ A? i.dell.com. (28)
11:24:40.138611 IP (tos 0x0, ttl 64, id 62865, offset 0, flags [none], proto UDP (17), length 56)
INTRANET_BIND.36467 > INTERNET_BIND_01.domain: [bad udp cksum fcbc!] 54648+ A? i.dell.com. (28)
11:24:45.147943 IP (tos 0x0, ttl 64, id 62869, offset 0, flags [none], proto UDP (17), length 56)
INTRANET_BIND.36467 > INTERNET_BIND_01.domain: [bad udp cksum fcbc!] 54648+ A? i.dell.com. (28)
11:24:45.658740 IP (tos 0x0, ttl 62, id 60507, offset 0, flags [none], proto UDP (17), length 529)
INTERNET_BIND_01.domain > INTRANET_BIND.36467: 54648 q: A? i.dell.com. 6/13/3 i.dell.com. CNAME[|domain]
Code:
INTERNET_BIND_01# tcpdump -vv host 10.X.X.53
tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes
11:24:18.347858 IP (tos 0x0, ttl 62, id 62859, offset 0, flags [none], proto UDP (17), length 56)
INTRANET_BIND.36467 > INTERNET_BIND_01.domain: [udp sum ok] 54648+ A? i.dell.com. (28)
11:24:23.348704 IP (tos 0x0, ttl 62, id 62865, offset 0, flags [none], proto UDP (17), length 56)
INTRANET_BIND.36467 > INTERNET_BIND_01.domain: [udp sum ok] 54648+ A? i.dell.com. (28)
11:24:28.358008 IP (tos 0x0, ttl 62, id 62869, offset 0, flags [none], proto UDP (17), length 56)
INTRANET_BIND.36467 > INTERNET_BIND_01.domain: [udp sum ok] 54648+ A? i.dell.com. (28)
11:24:28.868442 IP (tos 0x0, ttl 64, id 60507, offset 0, flags [none], proto UDP (17), length 529)
INTERNET_BIND_01.domain > INTRANET_BIND.36467: 54648 q: A? i.dell.com. 6/13/3 i.dell.com. CNAME[|domain]
11:24:33.446556 IP (tos 0x0, ttl 64, id 61464, offset 0, flags [none], proto UDP (17), length 529)
INTERNET_BIND_01.domain > INTRANET_BIND.36467: 54648 q: A? i.dell.com. 6/13/3 i.dell.com. CNAME[|domain]