Les Mikesell wrote: > carlopmart wrote: >> Les Mikesell wrote: >>> carlopmart wrote: >>>>>>>>> Thanks lars. Correctly, firewall could be the problem, but it isn't. Because >>>>>>>> Ubuntu and Windows 2003/2008 doesn't have problems with it ... and resolves >>>>>>>> perfectly ... And I don't have configured this firewall to accept dns queries >>>>>>>> originating from source port 53 ... >>>>>>>> >>>>>>> What does 'dig' show about your access to the root servers without >>>>>>> forwarders and with and without forcing the query-source port? Compare >>>>>>> it to the Ubuntu system. Maybe there's something wrong with the root >>>>>>> hints file - or maybe your border firewall is blocking all udp to this >>>>>>> box but permitting it to the DNS servers that work. >>>>>>> >>>>>> Thanks Les, but I have checked it before post this problem. Ubuntu and CentOS >>>>>> have the same file to do querys to root servers ... >>>>> And the results of 'dig' on each? >>>>> >>>>>> I have find a temporary solution: reduce the MTU on CentOS server (1440) ...I >>>>>> need to investigate why centOS loses some packages and ubuntu doesn't .... >>>>> Are you routing through tunnels? >>>>> >>>>> >>>> No, all hosts (firewall and CentOS DNS server) are connected to GByte network. >>> That's not where the problem is. Since you are working with forwarding >>> on, the problem has to be when you try to go directly to the internet >>> over UDP so it would be at the firewall or border router. When DNS >>> fails, it will retry with TCP and that might be why it eventually works. >> That's not possible, because firewall only permits DNS querys over UDP ... > > I'd advise following the standards. If the response won't fit in a udp > packet, it has to fail over to tcp. > >>> Is there anything in the path to the internet that needs a lower MTU >>> (perhaps a DNS line running PPOE)? Or do you have jumbo packets enabled >>> on your Gig NIC? >> No, but firewalls have a mtu configured with 1450 on external interfaces ... > > Why? Because It is a DSL line and cause errors using VPN connections if mtu it is 1500 > >> And if you do need a small MTU, do you have firewalls >>> blocking the ICMP messages that are required to discover that automatically? >> Yes, ICMP messages are blocked on firewall, but are blocked for all hosts: >> centos dns servers, ubuntu servers, windows servers ... i don't understand why >> using Ubuntu or windows servers to resolve names works ok and with centos (and >> with either rhel5. I have just check it) doesn't ... > > The 'dig' response might give you a hint. But if all other network > operations work OK, I'd still guess it is a firewall setting that you > are missing. > ok, tested using dig: [root at thranduil data]# dig www.mysql.com ; <<>> DiG 9.3.4-P1 <<>> www.mysql.com ;; global options: printcmd ;; connection timed out; no servers could be reached [root at thranduil data]# dig www.mysql.com ; <<>> DiG 9.3.4-P1 <<>> www.mysql.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.mysql.com. IN A ;; ANSWER SECTION: www.mysql.com. 3600 IN A 213.136.52.29 ;; AUTHORITY SECTION: mysql.com. 3600 IN NS ns1.sun.com. mysql.com. 3600 IN NS ns2.sun.com. mysql.com. 3600 IN NS ns7.sun.com. mysql.com. 3600 IN NS ns8.sun.com. ;; Query time: 3326 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 25 22:52:20 2009 ;; MSG SIZE rcvd: 123 I have opened 53/tcp and udp/53 on the firewall and the results are the same ... But I don't understand why only centos has this problems ... i think that I do some mistake on some configuration but i don't know where .... -- CL Martinez carlopmart {at} gmail {d0t} com