Bug 436280 - Some domains do not resolve on rhel5. For example: uci.cu
Some domains do not resolve on rhel5. For example: uci.cu
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind (Show other bugs)
All Linux
low Severity urgent
: rc
: ---
Assigned To: Adam Tkac
Depends On:
  Show dependency treegraph
Reported: 2008-03-06 06:02 EST by Center
Modified: 2013-04-30 19:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-10 08:51:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
dig @a.root-servers.net uci.cu (1.27 KB, text/plain)
2008-03-10 08:05 EDT, Center
no flags Details

  None (edit)
Description Center 2008-03-06 06:02:25 EST
Description of problem:

Some domains are not resolved on rhel5. For example: uci.cu

Version-Release number of selected component (if applicable):

How reproducible:

dig uci.cu

=> returns "SERVFAIL" on rhel5 / bind-9.3.3-10.el5
Succeeds on any other platform ( rhel4 for instance )

Steps to Reproduce:
1. install caching-nameserver-9.3.3-10.el5
2. set resolv.conf to go to
3. dig uci.cu
Actual results:
; <<>> DiG 9.3.3rc2 <<>> uci.cu
;; global options:  printcmd
;; connection timed out; no servers could be reached

Expected results:
; <<>> DiG 9.3.3rc2 <<>> uci.cu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27898
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;uci.cu.                                IN      A

uci.cu.                 7598    IN      SOA     ns1.uci.cu. jorge.uci.cu. 200802
1800 28800 3600 2419200 10800

Additional info:

This is not a firewall issue. 2 Serveurs behind the same firewall, one running 
rhel5, the other rhel4, the one running rhel5 can not resolv this domain, the 
one running rhel4 has no issue getting answers.
I reproduced the problem with xen kernel, x86_64 kernel and i386 kernels
Comment 1 Adam Tkac 2008-03-10 07:29:33 EDT
Are you able to query root servers from affected machine? (Try dig
@a.root-servers.net uci.cu for example). Also please try comment out
query-source and query-source-v6 options in /etc/named.caching-nameserver.conf
and if this doesn't help try set "edns-udp-size 512;" option. System log will
also help, would it be possible to attach it, please?
Comment 2 Center 2008-03-10 08:05:01 EDT
Created attachment 297420 [details]
dig @a.root-servers.net uci.cu

Here is the result of the query to the root name servers
Comment 3 Center 2008-03-10 08:20:22 EDT
Dig root nameservers: Attachment #297420 [details]

Commenting out: "query-source port 53" solved the problem!

edns-udp-size 512; => Did not solve the problem
edns-enable no; => Did not solve the problem

No particuliar error message in system log or named.run.
When running tcpdump, it just looks like no answer packet is coming back after 
the queries.

The "query-source" trick did solve the issue, so I suppose this is not a bug in 
bind itself, but on the firewall configuration on the other side?

Thanks anyway,


Comment 4 Adam Tkac 2008-03-10 08:51:00 EDT
There were bug opened for same issue
(https://bugzilla.redhat.com/show_bug.cgi?id=209954) but we never discover where
exactly problem is. I expect some misconfigured router or firewall somewhere
which drops packets with source port 53. If you find where exactly problem is
please write comment here. Closing as notabug

Note You need to log in before you can comment on or make changes to this bug.