Very Computer

I've got a test PC that I'm going to setup a name server on to host my
company's public web site.  I'm going to run the DNS server myself
rather than pay someone else to do it.

I've been having some serious trouble with DNS, nslookup and such.
Some sites can do an nslookup to my domain, some cannot......

I'm installing a new server independant of my main network and
internal DNS
server.  This server is a RedHat Linux 7.3 server.

So I'm starting from the very beginning -- no DNS, just testing my
/etc/resolv.conf configuration.

When I point my /etc/resolv.conf file to the ip address of
ns1.savvis.net, I
cannot connect to any machines/web sites/etc that are outside of [what
I
think] is the 'network owned by Savvis'.  The reason that I say this
is because of the three web sites that I attempt to connect to I know
that at least two of them have contracts with Savvis (One Net
Communicatins and Symanet, Inc.)

my /etc/resolv.conf file is:

nameserver 209.16.211.42

When I try to connect to a site line E*.com, I get the following:

%> lynx www.e*.com

Alert!: Unable to access document.

Looking up www.e*.com first
Looking up www.e*.com.com, guessing...
Looking up www.e*.com.edu, guessing...
Looking up www.e*.com.net, guessing...
Looking up www.e*.com.org, guessing...
Can't Access `file://localhost/etc/sysconfig/network-scripts/www.e*.com'
Alert!: Unable to access document.

lynx: Can't access startfile

But if I change my /etc/resolv.conf file to point to a name server not
owned
by Savvis (ns1.one.net), everything works normally.  eg:

/etc/resolv.conf:

nameserver 66.83.39.4

%> lynx www.e*.com

[the E* home page appears normally].

Does Savvis somehow filter this resolution?  This hasn't been an issue
before this time because I am running a caching name server on my
gateway to
the Internet.  THIS server, however absolutely must not run DNS or a
caching
name server.  I'm sure that the admin at One.net wouldn't want me to
use his
name server for my own purposes.  It is worth noting that ns2 and
ns3.savvis.net exhibit this behavior as well.

This doesn't appear to relate to the rest of your post and since you
don't say what the domain is I cannot comment.

Quote:> I'm installing a new server independant of my main network and
> internal DNS
> server.  This server is a RedHat Linux 7.3 server.

> So I'm starting from the very beginning -- no DNS, just testing my
> /etc/resolv.conf configuration.

> When I point my /etc/resolv.conf file to the ip address of
> ns1.savvis.net, I
> cannot connect to any machines/web sites/etc that are outside of [what
> I
> think] is the 'network owned by Savvis'.  The reason that I say this
> is because of the three web sites that I attempt to connect to I know
> that at least two of them have contracts with Savvis (One Net
> Communicatins and Symanet, Inc.)

> my /etc/resolv.conf file is:

> nameserver 209.16.211.42

> When I try to connect to a site line E*.com, I get the following:

> %> lynx www.e*.com

> Alert!: Unable to access document.

(snip)

Ns1.savvis.net is not configured to answer recursive queries[1]. This is
quite normal for a nameserver which is intended just to answer queries
for its own domain(s) and not to be a general purpose client serving
nameserver. It will be answering your query with a referral to the
roots, which another nameserver will follow but a resolver cannot.
Resolvers expect to communicate with recursive servers.

Why did you choose this for your nameserver? I sincerely doubt that any
competent authority would have told you to do so.

All ISPs provide recursive caching nameservers for their customers. Why
not use these? Or, if you can't for whatever reason, set yourself up a
caching nameserver. It's very easy on RH, they provide a
"caching-nameserver" RPM which does it for you.

If you want to know more about how DNS works then get a copy of the
O'Reilly "DNS and Bind" book and read it. If you intend to run a
nameserver on the Internet you really should read this.

Regards, Ian

[1] Not for me anyway, and evidently not for you either. It is possible
to configure this selectively depending on the client's address.

'Cause they told me to!  :-)

I have my contract from two years ago and it states to use
ns1.savvis.net and ns2 and ns3.savvis.net as name servers.

Quote:> Ns1.savvis.net is not configured to answer recursive queries[1]. This is
> quite normal for a nameserver which is intended just to answer queries
> for its own domain(s) and not to be a general purpose client serving
> nameserver.

How did you determine this?  I purchased the O'Reilly book Sunday --
which is probably why all this is popping up now.

Anyhoo I sent a copy of the original posting to the Savvis tech
support and they gave me new IP addresses for resolvers that work
fine!

Thanks, Brian

Possibly these were recursive servers then and they have since changed
them. But they should have told you if so. Another possibility is that
they will answer recursively for clients on your main network but not
for the one you are running this machine on. You did mention in your
original post that this new server is independant of your main network.
Maybe they meant you only to use those servers from the main network.

Quote:> > Ns1.savvis.net is not configured to answer recursive queries[1]. This is
> > quite normal for a nameserver which is intended just to answer queries
> > for its own domain(s) and not to be a general purpose client serving
> > nameserver.

> How did you determine this?  I purchased the O'Reilly book Sunday --
> which is probably why all this is popping up now.

I asked it a question about one of their own names:

; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;      www.savvis.net, type = A, class = IN

;; ANSWER SECTION:
www.savvis.net.         4H IN A         216.91.187.130

;; AUTHORITY SECTION:
savvis.net.             4H IN NS        ns1.savvis.net.
savvis.net.             4H IN NS        ns2.savvis.net.
savvis.net.             4H IN NS        ns3.savvis.net.

;; ADDITIONAL SECTION:
ns1.savvis.net.         4H IN A         209.16.211.42
ns2.savvis.net.         4H IN A         204.194.10.206
ns3.savvis.net.         4H IN A         209.83.162.35

As you see I got an answer. Then I asked it about a valid name which is
not theirs:

; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; QUERY SECTION:
;;      www.ibm.com, type = A, class = IN

;; AUTHORITY SECTION:
com.                    4h7m13s IN NS   A.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   G.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   H.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   C.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   I.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   B.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   D.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   L.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   F.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   J.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   K.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   E.GTLD-SERVERS.NET.
com.                    4h7m13s IN NS   M.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET.     26m47s IN A     192.5.6.30
G.GTLD-SERVERS.NET.     1d22h7m6s IN A  192.42.93.30
H.GTLD-SERVERS.NET.     1d20h17m IN A   192.54.112.30
C.GTLD-SERVERS.NET.     1d21h56m14s IN A  192.26.92.30
I.GTLD-SERVERS.NET.     19m56s IN A     192.43.172.30
B.GTLD-SERVERS.NET.     1d22h24m25s IN A  192.33.14.30
D.GTLD-SERVERS.NET.     1d22h24m25s IN A  192.31.80.30
L.GTLD-SERVERS.NET.     3d18h36m28s IN A  192.41.162.30
F.GTLD-SERVERS.NET.     5d20h16m17s IN A  192.35.51.30
J.GTLD-SERVERS.NET.     1d22h13m58s IN A  210.132.100.101
K.GTLD-SERVERS.NET.     1m8s IN A       192.52.178.30
E.GTLD-SERVERS.NET.     1d20h27m5s IN A  192.12.94.30
M.GTLD-SERVERS.NET.     1d16h37m4s IN A  192.55.83.30

And got a referral. Note the status of "NOERROR" but 0 answers. This
referral is to the GTLD servers which suggests that it has ".com"
cached, which seems reasonable. Had the server been prepared to answer
recursively, it would have given an answer (www.ibm.com being a name
which generally resolves correctly).

The problem as you first stated it - fortunately you stated the problem
clearly and precisely, something many do not - appeared to be a classic
case of attempting to use a nonrecursive server directly from a client
resolver, so it was the first answer which occurred to me. Those two
quick tests confirmed it.

Read the book and all will become clear.

Regards, Ian

In addition to deducing from the responses that it does not do recursion,
the flags state it explicitly.  The first query, for one of their names
returned "flags: qr aa rd"  query response, authoritive answer and recursion
desired.  Note that recursion available flag is not set.

God, I only hope so!  Seems that I'm having yet more troubles with
Savvis's name servers.  Unfortunately, I do not have the expertiese or
experience to ask intelligent questions to them.  And the Dns and Bind
book puts me to sleep!

Brian

Now you come to mention it I did used to use it as bedtime reading:)

It took me a few weeks to get through it, and I clearly need to read it
again. The last time I read it from start to end it was edition 2; now
it's edition 4 and I am getting out of date, or I would have spotted the
obvious point which Mark made. Edition 2 didn't cover dig IIRC.

Regards, Ian