Les Mikesell wrote:
carlopmart wrote:
Les Mikesell wrote:
carlopmart wrote:
>>> Thanks lars. Correctly, firewall could be the problem, but it isn't. Because >> Ubuntu and Windows 2003/2008 doesn't have problems with it ... and resolves >> perfectly ... And I don't have configured this firewall to accept dns queries >> originating from source port 53 ... >> > What does 'dig' show about your access to the root servers without > forwarders and with and without forcing the query-source port? Compare > it to the Ubuntu system. Maybe there's something wrong with the root > hints file - or maybe your border firewall is blocking all udp to this > box but permitting it to the DNS servers that work. > Thanks Les, but I have checked it before post this problem. Ubuntu and CentOS have the same file to do querys to root servers ...
And the results of 'dig' on each?
I have find a temporary solution: reduce the MTU on CentOS server (1440) ...I need to investigate why centOS loses some packages and ubuntu doesn't ....
Are you routing through tunnels?
No, all hosts (firewall and CentOS DNS server) are connected to GByte network.
That's not where the problem is. Since you are working with forwarding on, the problem has to be when you try to go directly to the internet over UDP so it would be at the firewall or border router. When DNS fails, it will retry with TCP and that might be why it eventually works.
That's not possible, because firewall only permits DNS querys over UDP ...
I'd advise following the standards. If the response won't fit in a udp packet, it has to fail over to tcp.
Is there anything in the path to the internet that needs a lower MTU (perhaps a DNS line running PPOE)? Or do you have jumbo packets enabled on your Gig NIC?
No, but firewalls have a mtu configured with 1450 on external interfaces ...
Why?
Because It is a DSL line and cause errors using VPN connections if mtu it is 1500
And if you do need a small MTU, do you have firewalls
blocking the ICMP messages that are required to discover that automatically?
Yes, ICMP messages are blocked on firewall, but are blocked for all hosts: centos dns servers, ubuntu servers, windows servers ... i don't understand why using Ubuntu or windows servers to resolve names works ok and with centos (and with either rhel5. I have just check it) doesn't ...
The 'dig' response might give you a hint. But if all other network operations work OK, I'd still guess it is a firewall setting that you are missing.
ok, tested using dig:
[root@thranduil data]# dig www.mysql.com
; <<>> DiG 9.3.4-P1 <<>> www.mysql.com ;; global options: printcmd ;; connection timed out; no servers could be reached [root@thranduil data]# dig www.mysql.com
; <<>> DiG 9.3.4-P1 <<>> www.mysql.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION: ;www.mysql.com. IN A
;; ANSWER SECTION: www.mysql.com. 3600 IN A 213.136.52.29
;; AUTHORITY SECTION: mysql.com. 3600 IN NS ns1.sun.com. mysql.com. 3600 IN NS ns2.sun.com. mysql.com. 3600 IN NS ns7.sun.com. mysql.com. 3600 IN NS ns8.sun.com.
;; Query time: 3326 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 25 22:52:20 2009 ;; MSG SIZE rcvd: 123
I have opened 53/tcp and udp/53 on the firewall and the results are the same ... But I don't understand why only centos has this problems ... i think that I do some mistake on some configuration but i don't know where ....