ChadDavis wrote: > Bob Proulx wrote: > > It doesn't work that way. Nameservers listed in /etc/resolv.conf are > > tried in order. The first one that can be contacted is the one used. > > If a contacted nameserver does not know about a name then it is a > > negative response. No other nameservers are contacted. > > > > The reason for listing up to three nameservers is that if one is > > offline then it will fall through to the next one. But when the first > > one answers then the answer it provides will be authoritative. See > > Ok. I believe you are correct on this behavior, i.e. if I have two DNS > nameservers configured, the second one is purely a failover. In other > words, if the first one can't resolve a given hostname, it does NOT then > consult the second one. The second nameserver is only contacted if the > first one is down. This is what I understand you to have said. And I do > believe you. I have been known to be wrong. As recently as yesterday. This is my first posting today. They day is young. I have plenty of time for mistakes today. :-) > But when I try to resolve a hostname that I know isn't valid, it sure looks > like the second one is consulted. Here's my output from nslookup on a > invalid hostname. > > chadmichael@heraclitus:~$ nslookup chad-vm2 > ;; Got SERVFAIL reply from 10.110.199.20, trying next server > Server: 10.110.200.85 > Address: 10.110.200.85#53 > > ** server can't find chad-vm2: SERVFAIL How interesting. I believe you too. But it says SERVFAIL not NXDOMAIN. If the first server fails then it should fall through to the next one. Why is your first server failing? That seems interesting. What is your hosts line for /etc/nsswitch.conf? $ grep hosts /etc/nsswitch.conf hosts: files dns It is possible to have various options there. Perhaps? Also nslookup is a tool specifically for querying DNS. Which means that it isn't quite the same as gethostbyname(3) would return. Any program that calls gethostbyname(3) will follow nsswitch.conf. There is the "getent" program. What does it say? $ getent hosts foo.invalid In any case, back to the original topic. I tried an experiment. I ran "tcpdump -lni any port domain" and ran "nslookup foo.invalid". root@torpid:~# tcpdump -lni any port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 12:52:26.405277 IP 192.168.230.120.42194 > 192.168.230.109.53: 25599+ A? foo.invalid. (29) 12:52:26.405761 IP 192.168.230.109.53 > 192.168.230.120.42194: 25599 NXDomain 0/1/0 (104) 12:52:26.406278 IP 192.168.230.120.48452 > 192.168.230.109.53: 36232+ A? foo.invalid.proulx.com. (40) 12:52:26.406682 IP 192.168.230.109.53 > 192.168.230.120.48452: 36232 NXDomain* 0/1/0 (95) It only contacted the first server listed, 192.168.230.109, and did not contact the second server listed, 192.168.230.119. So I believe that it really is only querying the first server. > Doesn't this mean that .20 said "I can't resolve that hostname", and this > caused a second attempt at my second nameserver .85? This contradicts what > I thought you had explained. How does this all relate? You apparently have two nameservers listed in /etc/resolv.conf. nameserver 10.110.199.20 nameserver 10.110.200.85 Your lookup said: > chadmichael@heraclitus:~$ nslookup chad-vm2 > ;; Got SERVFAIL reply from 10.110.199.20, trying next server > Server: 10.110.200.85 But that is SERVFAIL. It got a failure from that server. Why did that server fail? Does it always fail? I think something may be interesting about the configuration there. Is it trying to do a recursive lookup but unable to perform the action such as due to a firewall or other? I want to set up a test case of a remote nameserver blocked by a firewall to see if that gives a SERVFAIL but lack the time today. Could you look at your .20 nameserver and see why it is failing? Could you reverse the order of the nameserver lines in your resolv.conf file and try it again? Any difference? nameserver 10.110.200.85 nameserver 10.110.199.20 Interesting stuff... Bob
Attachment:
signature.asc
Description: Digital signature