DNS Troubleshooting - Assumptions and Problem Breakdown
0 likes55 views
The document outlines troubleshooting techniques for DNS issues, emphasizing tools like ping, traceroute, and dig. It details the process for resolving domain names and identifying potential failure causes on various server sides, including authoritative and client configurations. Recommendations for diagnosing problems include using alternative resolvers and confirming internet connectivity, with examples of specific queries provided to illustrate effective troubleshooting.
DNS Troubleshooting - Assumptions and Problem Breakdown
- 1. Troubleshooting - Assumptions and Problem Breakdown - Matsuzaki ʻmazʼ Yoshinobu <maz@iij.ad.jp> bdNOG18 maz@iij.ad.jp 1
- 2. Simple tools are useful • ping, traceroute, dig, and etc. • ping: • More powerful if you know • The assumptions • How to read the result bdNOG18 maz@iij.ad.jp 2
- 3. dig soa bd @dns.bd 1. Name resolution of ”dns.bd” with the hostʼs resolver • Actually querying ”A” and/or “AAAA” of “dns.bd” • If name resolution fails, dig ends in error 2. Send “bd SOA” query to the resolved IP addresses • RD (recursion desired) on by default bdNOG18 maz@iij.ad.jp 3
- 4. dig soa bd @dns.bd dns.bd .bd ccTLD servers root servers Full-service Resolver 1) resolving “dns.bd” 2) “bd SOA” query bdNOG18 maz@iij.ad.jp 4
- 5. when 1) fails, the command fails dns.bd .bd ccTLD servers root servers Full-service Resolver 1) resolving “dns.bd” bdNOG18 maz@iij.ad.jp 5
- 6. Possible reasons of the failure 1. Full resolver side • Service issue (IP reachability, packet filtering) • named issue (process, capability, configuration) 2. Client side • Reachability issue (IP reachability, packet filtering) • No resolver (local resolver, nameserver configuration) 3. Authoritative server side • Service issue (IP reachability, packet filtering) • named issue (process, capability, configuration) • zone configuration issue (zone cut, DNSSEC, transfer) Engineers can point out the specific reason bdNOG18 maz@iij.ad.jp 6
- 7. Need some !যাগাড় in case of DNS issue • Cannot use hostname • No problem to include QNAME in query though • Cannot rely on Full-service Resolver functionality • Cache contents • Recursive mode • DNSSEC validation bdNOG18 maz@iij.ad.jp 7
- 8. Where to start 1. Try another Full-service resolver • Open DNS services • Ex. $ dig soa bd @1.1.1.1 2. Ensure you have a healthy Internet connection • Especially TCP/53 and UDP/53 for DNS troubleshooting 3. Isolating the problem by querying authoritative servers • IPv6 and IPv4 are different protocol • The response can vary depending on how zone information is cofingured bdNOG18 maz@iij.ad.jp 8
- 9. Querying one by one • $ dig +norec NS bd @a.root-servers.net • +norec : To disable recursion, off the RD (Recursive Desired) bit • NS bd : QTYPE “NS” and QNAME “bd” • @a.root-servers.net : sending the query to a.root-servers.net # Assuming a.root-servers.net is resolvable • Expecting Glue records • NS records for bd • A and AAAA records for the bd NS servers bdNOG18 maz@iij.ad.jp 9
- 10. 4 NS hosts, 8 IP addresses • 4 hosts serving as bd ccTLD nameservers • dns.bd, jamuna.btcl.net.bd, surma.btcl.net.bd, and bd-ns.anycast.pch.net • Each host has IPv6 and IPv4 addresses • Send a direct query to the individual IP addresses • 8 times of ”dig +norec SOA bd @<IP address>” bdNOG18 maz@iij.ad.jp 10
- 11. Observations at ”that” time name-servers Query: SOA bd dns.bd jamuna.btcl.net.bd surma.btcl.net.bd SERVFAIL bd-ns.anycast.pch.net SOA serial 2023060867 ; <<>> DiG 9.10.6 <<>> ns bd @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41885 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 5 3 20 66 6f 75 6e 64 20 66 6f 72 20 62 64 2e ("..no SEP matching the DS found for bd.") ; OPT=15: 00 17 31 32 33 2e 34 39 2e 31 32 2e 31 31 32 3a 35 33 20 72 63 6f 64 6 5 3d 53 45 52 56 46 41 49 4c 20 66 6f 72 20 62 64 20 44 4e 53 4b 45 59 ("..123.49.12.112:53 rcode=SERVFAIL for bd DNSKEY") Only one out of four could responds without DNS error DNSSEC failure on bd bdNOG18 maz@iij.ad.jp 11
- 12. Some tricky parts *1) gov.bd, com.bd, net.bd, org.bd, ac.bd, and so on • Those are not DNSSEC-signed • If you did “dig +norec www.bdren.net.bd @123.49.12.112” at ”that” time, it worked as expected name-servers SOA bd SOA for subdomains (*1) dns.bd jamuna.btcl.net.bd surma.btcl.net.bd SERVFAIL OK bd-ns.anycast.pch.net SOA serial 2023060867 OK bdNOG18 maz@iij.ad.jp 12
- 13. Several zones in a server • Even the parent (bd) zone is failed, the servers can reply an answer from its subdomain (ex. net.bd) zone .bd ccTLD servers www.bdren.net.bd query bd zone gov.bd zone com.bd zone net.bd zone bdNOG18 maz@iij.ad.jp 13
- 14. My guess at ”that” time • 3 nameservers failed to load bd zone file • Could be some DNSSEC singing issues, as other un-signed subdomains were loaded as expected • 1 nameserver kept (old) bd zone file and answering • RRSIG (digital signature by DNSSEC) was expired • This caused DNSSEC verification error • Worked as expected for the system, but unexpected for users bdNOG18 maz@iij.ad.jp 14
- 15. Some possible improvements • Monitoring • Zone file generation • Singing and transfer • SOA serial sync among nameservers • Point of Contact • Trouble information • Technical information bdNOG18 maz@iij.ad.jp 15
- 16. Example: JP DNS • The nameservers for the .jp ccTLD are managed by the JPRS, the .jp registry, with the cooperation of various organizations in the Japanese internet industry. Server name Organization a.dns.jp JPRS (.jp Registry) b.dns.jp JPNIC (Japan NIR) c.dns.jp JPRS d.dns.jp IIJ (Commercial ISP) e.dns.jp WIDE (Research Consortium) f.dns.jp NII (Academic Research Institute) g.dns.jp JPRS h.dns.jp JPRS bdNOG18 maz@iij.ad.jp 16