Feel free to skip this, it’s going to be geeky…
I’ve been running Bind as a DNS server for years now; both for our internal network and as authoritative for this website. It’s been stable and working fine for many iterations of DSL and now cable ISP service. It’s possible, though I don’t honestly remember, that I was running (an older version of Bind) way back in the Ricochet wireless modem days.
And I’ve always been a control freak so I’ve had it configured as the resolver for our internal network. If the query is not for something on our network, it goes to the root servers and tracks down the correct IP address.
So I was flumoxed when my Comcast service was upgraded and suddenly my internal DNS servers could no longer get resolution for external systems. The upgrade was meant to be simple: new modem, faster service. “This year’s deal.” And it worked fine for everything except DNS resolution — which means it effectively worked fine for public access of this site, but was significantly broken for our use here going out to the Internet.
My flumoxation was of the compound variety: a simple upgrade, which clearly didn’t break connectivity, did break that one key function. And rather than querying our internal Bind servers, if we queried a public DNS server, it worked fine.
But, being a control freak, our internal network is a different domain from the public network (but registered and paid for). And that domain is not published. So relying on public DNS would leave us blind to our intranet.
I had iftop running and was tailing logs and doing tcpdumps for wireshark and nothing was standing out to me as the problem. I just got status: SERVFAIL for external addresses and everything internal was fine.
As I was scratching my head and looking for better Bind debug options, I ran across the documentation for forwarding. Since I could query external DNS on the command line fine, I thought it was worth a shot (though not my preferred option).
That worked. I’m sending more traffic to (and I’m more reliant on) Comcast and Google’s DNS servers. But it’s working.
I would welcome explanations or theories, but now I’m just going to bed. I expect it’s something in the format of an “internal” query from Bind (following the path from the root name servers to the authoritative name servers) versus just asking someone else to do that leg work.
But first a shout out to Bill at Comcast. He was not able to point me to a fix, but he tried very hard and was as helpful as he could be. (And I know my situation is not very common.)
edit this blog...
HTML hints
Back to the Blog