ChadDavis wrote:
Bob Proulx wrote:
It doesn't work that way. Nameservers listed in /etc/resolv.conf are
tried in order. The first one that can be contacted is the one used.
If a contacted nameserver does not know about a name then it is a
negative response. No other nameservers are contacted.
The reason for listing up to three nameservers is that if one is
offline then it will fall through to the next one. But when the first
one answers then the answer it provides will be authoritative. See
Ok. I believe you are correct on this behavior, i.e. if I have two DNS
nameservers configured, the second one is purely a failover. In other
words, if the first one can't resolve a given hostname, it does NOT then
consult the second one. The second nameserver is only contacted if the
first one is down. This is what I understand you to have said. And I do
believe you.
I have been known to be wrong. As recently as yesterday. This is my
first posting today. They day is young. I have plenty of time for
mistakes today. :-)
But when I try to resolve a hostname that I know isn't valid, it sure looks
like the second one is consulted. Here's my output from nslookup on a
invalid hostname.
chadmichael@heraclitus:~$ nslookup chad-vm2
;; Got SERVFAIL reply from 10.110.199.20, trying next server
Server: 10.110.200.85
Address: 10.110.200.85#53
** server can't find chad-vm2: SERVFAIL
How interesting. I believe you too. But it says SERVFAIL not
NXDOMAIN. If the first server fails then it should fall through to
the next one. Why is your first server failing? That seems
interesting.
What is your hosts line for /etc/nsswitch.conf?
$ grep hosts /etc/nsswitch.conf
hosts: files dns
It is possible to have various options there. Perhaps?
Also nslookup is a tool specifically for querying DNS. Which means
that it isn't quite the same as gethostbyname(3) would return. Any
program that calls gethostbyname(3) will follow nsswitch.conf. There
is the "getent" program. What does it say?
$ getent hosts foo.invalid
In any case, back to the original topic. I tried an experiment. I
ran "tcpdump -lni any port domain" and ran "nslookup foo.invalid".
root@torpid:~# tcpdump -lni any port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
12:52:26.405277 IP 192.168.230.120.42194 > 192.168.230.109.53: 25599+ A? foo.invalid. (29)
12:52:26.405761 IP 192.168.230.109.53 > 192.168.230.120.42194: 25599 NXDomain 0/1/0 (104)
12:52:26.406278 IP 192.168.230.120.48452 > 192.168.230.109.53: 36232+ A? foo.invalid.proulx.com. (40)
12:52:26.406682 IP 192.168.230.109.53 > 192.168.230.120.48452: 36232 NXDomain* 0/1/0 (95)
It only contacted the first server listed, 192.168.230.109, and did
not contact the second server listed, 192.168.230.119. So I believe
that it really is only querying the first server.
Doesn't this mean that .20 said "I can't resolve that hostname", and this
caused a second attempt at my second nameserver .85? This contradicts what
I thought you had explained. How does this all relate?
You apparently have two nameservers listed in /etc/resolv.conf.
nameserver 10.110.199.20
nameserver 10.110.200.85
Your lookup said:
chadmichael@heraclitus:~$ nslookup chad-vm2
;; Got SERVFAIL reply from 10.110.199.20, trying next server
Server: 10.110.200.85
But that is SERVFAIL. It got a failure from that server. Why did
that server fail? Does it always fail? I think something may be
interesting about the configuration there.
Is it trying to do a recursive lookup but unable to perform the action
such as due to a firewall or other? I want to set up a test case of a
remote nameserver blocked by a firewall to see if that gives a
SERVFAIL but lack the time today. Could you look at your .20
nameserver and see why it is failing?
Could you reverse the order of the nameserver lines in your
resolv.conf file and try it again? Any difference?
nameserver 10.110.200.85
nameserver 10.110.199.20
Interesting stuff...
Bob