[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to properly add a dns server

ChadDavis wrote:
> Bob Proulx wrote:
> > It doesn't work that way.  Nameservers listed in /etc/resolv.conf are
> > tried in order.  The first one that can be contacted is the one used.
> > If a contacted nameserver does not know about a name then it is a
> > negative response.  No other nameservers are contacted.
> >
> > The reason for listing up to three nameservers is that if one is
> > offline then it will fall through to the next one.  But when the first
> > one answers then the answer it provides will be authoritative.  See
> Ok. I believe you are correct on this behavior, i.e. if I have two DNS
> nameservers configured, the second one is purely a failover.  In other
> words, if the first one can't resolve a given hostname, it does NOT then
> consult the second one.  The second nameserver is only contacted if the
> first one is down.  This is what I understand you to have said.  And I do
> believe you.

I have been known to be wrong.  As recently as yesterday.  This is my
first posting today.  They day is young.  I have plenty of time for
mistakes today.  :-)

> But when I try to resolve a hostname that I know isn't valid, it sure looks
> like the second one is consulted.  Here's my output from nslookup on a
> invalid hostname.
> chadmichael@heraclitus:~$ nslookup chad-vm2
> ;; Got SERVFAIL reply from, trying next server
> Server:
> Address:
> ** server can't find chad-vm2: SERVFAIL

How interesting.  I believe you too.  But it says SERVFAIL not
NXDOMAIN.  If the first server fails then it should fall through to
the next one.  Why is your first server failing?  That seems

What is your hosts line for /etc/nsswitch.conf?

  $ grep hosts /etc/nsswitch.conf 
  hosts:          files dns

It is possible to have various options there.  Perhaps?

Also nslookup is a tool specifically for querying DNS.  Which means
that it isn't quite the same as gethostbyname(3) would return.  Any
program that calls gethostbyname(3) will follow nsswitch.conf.  There
is the "getent" program.  What does it say?

  $ getent hosts foo.invalid

In any case, back to the original topic.  I tried an experiment.  I
ran "tcpdump -lni any port domain" and ran "nslookup foo.invalid".

  root@torpid:~# tcpdump -lni any port domain 
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
  12:52:26.405277 IP > 25599+ A? foo.invalid. (29)
  12:52:26.405761 IP > 25599 NXDomain 0/1/0 (104)
  12:52:26.406278 IP > 36232+ A? foo.invalid.proulx.com. (40)
  12:52:26.406682 IP > 36232 NXDomain* 0/1/0 (95)

It only contacted the first server listed,, and did
not contact the second server listed,  So I believe
that it really is only querying the first server.

> Doesn't this mean that .20 said "I can't resolve that hostname", and this
> caused a second attempt at my second nameserver .85?  This contradicts what
> I thought you had explained.  How does this all relate?

You apparently have two nameservers listed in /etc/resolv.conf.


Your lookup said:

> chadmichael@heraclitus:~$ nslookup chad-vm2
> ;; Got SERVFAIL reply from, trying next server
> Server:

But that is SERVFAIL.  It got a failure from that server.  Why did
that server fail?  Does it always fail?  I think something may be
interesting about the configuration there.

Is it trying to do a recursive lookup but unable to perform the action
such as due to a firewall or other?  I want to set up a test case of a
remote nameserver blocked by a firewall to see if that gives a
SERVFAIL but lack the time today.  Could you look at your .20
nameserver and see why it is failing?

Could you reverse the order of the nameserver lines in your
resolv.conf file and try it again?  Any difference?


Interesting stuff...


Attachment: signature.asc
Description: Digital signature

Reply to: