The document outlines troubleshooting techniques for DNS issues, emphasizing tools like ping, traceroute, and dig. It details the process for resolving domain names and identifying potential failure causes on various server sides, including authoritative and client configurations. Recommendations for diagnosing problems include using alternative resolvers and confirming internet connectivity, with examples of specific queries provided to illustrate effective troubleshooting.

1. Troubleshooting
- Assumptions and Problem Breakdown -
Matsuzaki ʻmazʼ Yoshinobu
<maz@iij.ad.jp>
bdNOG18 maz@iij.ad.jp 1

2. Simple tools are useful
• ping, traceroute, dig, and etc.
• ping:
• More powerful if you know
• The assumptions
• How to read the result
bdNOG18 maz@iij.ad.jp 2

3. dig soa bd @dns.bd
1. Name resolution of ”dns.bd” with the hostʼs resolver
• Actually querying ”A” and/or “AAAA” of “dns.bd”
• If name resolution fails, dig ends in error
2. Send “bd SOA” query to the resolved IP addresses
• RD (recursion desired) on by default
bdNOG18 maz@iij.ad.jp 3

4. dig soa bd @dns.bd
dns.bd
.bd ccTLD servers
root servers
Full-service Resolver
1) resolving “dns.bd”
2) “bd SOA” query
bdNOG18 maz@iij.ad.jp 4

5. when 1) fails, the command fails
dns.bd
.bd ccTLD servers
root servers
Full-service Resolver
1) resolving “dns.bd”
bdNOG18 maz@iij.ad.jp 5

6. Possible reasons of the failure
1. Full resolver side
• Service issue (IP reachability, packet filtering)
• named issue (process, capability, configuration)
2. Client side
• Reachability issue (IP reachability, packet filtering)
• No resolver (local resolver, nameserver configuration)
3. Authoritative server side
• Service issue (IP reachability, packet filtering)
• named issue (process, capability, configuration)
• zone configuration issue (zone cut, DNSSEC, transfer)
Engineers
can
point out
the specific
reason
bdNOG18 maz@iij.ad.jp 6

7. Need some !যাগাড় in case of DNS issue
• Cannot use hostname
• No problem to include QNAME in query though
• Cannot rely on Full-service Resolver functionality
• Cache contents
• Recursive mode
• DNSSEC validation
bdNOG18 maz@iij.ad.jp 7

8. Where to start
1. Try another Full-service resolver
• Open DNS services
• Ex. $ dig soa bd @1.1.1.1
2. Ensure you have a healthy Internet connection
• Especially TCP/53 and UDP/53 for DNS troubleshooting
3. Isolating the problem by querying authoritative servers
• IPv6 and IPv4 are different protocol
• The response can vary depending on how zone information is
cofingured
bdNOG18 maz@iij.ad.jp 8

9. Querying one by one
• $ dig +norec NS bd @a.root-servers.net
• +norec : To disable recursion, off the RD (Recursive Desired) bit
• NS bd : QTYPE “NS” and QNAME “bd”
• @a.root-servers.net : sending the query to a.root-servers.net
# Assuming a.root-servers.net is resolvable
• Expecting Glue records
• NS records for bd
• A and AAAA records for the bd NS servers
bdNOG18 maz@iij.ad.jp 9

10. 4 NS hosts, 8 IP addresses
• 4 hosts serving as bd ccTLD nameservers
• dns.bd, jamuna.btcl.net.bd, surma.btcl.net.bd, and
bd-ns.anycast.pch.net
• Each host has IPv6 and IPv4 addresses
• Send a direct query to the individual IP addresses
• 8 times of ”dig +norec SOA bd @<IP address>”
bdNOG18 maz@iij.ad.jp 10

11. Observations at ”that” time
name-servers Query: SOA bd
dns.bd
jamuna.btcl.net.bd
surma.btcl.net.bd
SERVFAIL
bd-ns.anycast.pch.net SOA serial 2023060867
; <<>> DiG 9.10.6 <<>> ns bd @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41885
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 5
3 20 66 6f 75 6e 64 20 66 6f 72 20 62 64 2e
("..no SEP matching the DS found for bd.")
; OPT=15: 00 17 31 32 33 2e 34 39 2e 31 32 2e 31 31 32 3a 35 33 20 72 63 6f 64 6
5 3d 53 45 52 56 46 41 49 4c 20 66 6f 72 20 62 64 20 44 4e 53 4b 45 59
("..123.49.12.112:53 rcode=SERVFAIL for bd DNSKEY")
Only one out of four could
responds without DNS error
DNSSEC failure on bd
bdNOG18 maz@iij.ad.jp 11

12. Some tricky parts
*1) gov.bd, com.bd, net.bd, org.bd, ac.bd, and so on
• Those are not DNSSEC-signed
• If you did “dig +norec www.bdren.net.bd @123.49.12.112”
at ”that” time, it worked as expected
name-servers SOA bd SOA for subdomains (*1)
dns.bd
jamuna.btcl.net.bd
surma.btcl.net.bd
SERVFAIL OK
bd-ns.anycast.pch.net SOA serial 2023060867 OK
bdNOG18 maz@iij.ad.jp 12

13. Several zones in a server
• Even the parent (bd) zone is failed,
the servers can reply an answer from
its subdomain (ex. net.bd) zone
.bd ccTLD servers
www.bdren.net.bd query
bd zone
gov.bd zone
com.bd zone
net.bd zone
bdNOG18 maz@iij.ad.jp 13

14. My guess at ”that” time
• 3 nameservers failed to load bd zone file
• Could be some DNSSEC singing issues, as other un-signed
subdomains were loaded as expected
• 1 nameserver kept (old) bd zone file and answering
• RRSIG (digital signature by DNSSEC) was expired
• This caused DNSSEC verification error
• Worked as expected for the system, but unexpected for users
bdNOG18 maz@iij.ad.jp 14

15. Some possible improvements
• Monitoring
• Zone file generation
• Singing and transfer
• SOA serial sync among nameservers
• Point of Contact
• Trouble information
• Technical information
bdNOG18 maz@iij.ad.jp 15

16. Example: JP DNS
• The nameservers for the .jp ccTLD are managed by the
JPRS, the .jp registry, with the cooperation of various
organizations in the Japanese internet industry.
Server name Organization
a.dns.jp JPRS (.jp Registry)
b.dns.jp JPNIC (Japan NIR)
c.dns.jp JPRS
d.dns.jp IIJ (Commercial ISP)
e.dns.jp WIDE (Research Consortium)
f.dns.jp NII (Academic Research Institute)
g.dns.jp JPRS
h.dns.jp JPRS
bdNOG18 maz@iij.ad.jp 16