Cant resolve .orgs

  • Thread starter Thread starter Jeff
  • Start date Start date
J

Jeff

Today a strange DNS(?) issue cropped up. We can surf the
Internet fine except for .org domains - other domains seem
fine. All users resolve against our DCs for our internal
AD domain and those server use the root hints to resolve
all external querries. We dont run any kind of proxy and
were not doing any kind of content filtering. Has anyone
ever seen this? Any hints on where to look?

J
 
Set up forwarders to your ISP's DNS servers instead of relying only on root
hints.
 
Ive been set up this way for nearly 3 years - why would it
all of a sudden become an issue?

J
 
No idea, but I have always used forwarders. It's faster, for one thing - and
is recommended practice. Try it and see. Isn't it more important that the
problem get resolved?
 
In
Jeff said:
Ive been set up this way for nearly 3 years - why would it
all of a sudden become an issue?
Click to expand...

I dunno either, try this:
nslookup
set type=ns
org.

It should return these:
QUESTION SECTION:
org. IN NS

ANSWER SECTION:
org. 2049 IN NS tld1.ultradns.net.
org. 2049 IN NS tld2.ultradns.net.

ADDITIONAL SECTION:
tld1.ultradns.net. 2049 IN A 204.74.112.1
tld2.ultradns.net. 2049 IN A 204.74.113.1
 
It's faster, for one thing - and

It is not really that clear cut. A lot of factors would go into that.
is recommended practice.
Click to expand...

By some. On the other hand most Bind folks recommend root hints over
forwarders. So this is not so clear cut either. I generally use forwarders
first but would also use root hints as forwarders can and do fail.
 
William said:
It is not really that clear cut. A lot of factors would go into that.
Click to expand...

OK, but it's always been my experience that it's faster.
By some.
Click to expand...

Well, not that MS invented DNS, but it's recommended by them.
On the other hand most Bind folks recommend root hints over
forwarders. So this is not so clear cut either. I generally use
forwarders first but would also use root hints as forwarders can and
do fail.
Click to expand...

Yes - agreed; I use both.
 
Ive been set up this way for nearly 3 years - why would it
all of a sudden become an issue?
Click to expand...

Corruption of cache maybe, if you're hitting the same .org hosts. Or
maybe someone got a .org root configured on your DNS preventing
resolutiuon from outside your server.

Jeff

 
OK, but it's always been my experience that it's faster.

Very well could be. However, to really know for sure, would need to do
specific testing in your environment and name usage patterns and cache
loading, forwarder loading, etc. If you have, for example, a domain name NS
that is already cached, then the resolver will find that NS as the closest
NS and query it directly with one query and one reply. In most cases, com,
net, org will already be cached so unknown second level domain will require
2 queries. For the most part, either method or both seems to work well in
most cases. Cheers.
 
J> Today a strange DNS(?) issue cropped up. We can surf the
J> Internet fine except for .org domains [...]

This happens from time to time, when the anycast "org." content DNS
servers (run by UltraDNS) that one happens to be routed to become
unresponsive or unreachable for some reason.

Show us the outputs of

dig @tld1.ultradns.net. whoareyou.ultradns.net. a
dig @tld2.ultradns.net. whoareyou.ultradns.net. a

(or the "netdig" equivalent - whose syntax for this isn't in its
documentation) and "traceroute"s to those IP addresses.
 
L> Set up forwarders to your ISP's DNS servers instead of relying
L> only on root hints.

That won't make any difference at all if the problem is the one that I
mentioned that regularly plagues the "org." content DNS servers.
 
L> It's faster, for one thing

No. It's not necessarily faster. It can easily be slower.

L> and is recommended practice.

No, it isn't. In some newsgroups the received wisdom is that it is poor
practice, in fact. In *these very* newsgroups, there was an extensive
discussion of the matter last year. The choice between forwarding
queries and performing query resolution onesself is a complex one
involving weighing several factors.

J> Ive been set up this way for nearly 3 years - why would it
J> all of a sudden become an issue?

L> Isn't it more important that the problem get resolved?

The "change things at random until something works" approach sometimes
cures problems, but does so largely by accident, and also has strong
tendencies both to cause further problems and to not actually fix the
real problem at hand. Jeff is quite right to try to understand the
aetiology of his problem.

In other words: It is more important that Jeff knows whether this is (a)
simply the intermittent problem with the "org." content DNS servers that
I mentioned, (b) a result of an interaction with something that has
changed elsewhere that he didn't heretofore know was relevant (e.g. a
rule change on someone else's border router), (c) a bug in the software,
or (d) one of the several other possibilities. This is because he can
do much more, now and in the future, armed with such knowledge than he
could armed with no more than "If I perform a rain dance, my problem
sometimes goes away for a bit.".
 
Back
Top