# Bind 9.14 running as recursor (cache, forwarder) doesn't resolve some CNAME hostnames



## nerozero (Aug 29, 2019)

I don't know if this is right place to ask this type of questions, but, I will try... 

I have BIND 9.14 running on the gateway machine  configured as DNS recursor.
it is weird and funny but I was unable resolve IP of kb.isc.org:



```
$ host kb.isc.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host kb.isc.org not found: 3(NXDOMAIN)
```
** and at the same time/same machine: **

```
$ host kb.isc.org 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:

kb.isc.org is an alias for kb-isc.document360.io.
kb-isc.document360.io is an alias for document360-user-website.azurewebsites.net.
document360-user-website.azurewebsites.net is an alias for waws-prod-am2-079.vip.azurewebsites.windows.net.
waws-prod-am2-079.vip.azurewebsites.windows.net is an alias for waws-prod-am2-079.cloudapp.net.
waws-prod-am2-079.cloudapp.net has address 104.40.179.243
```


weird enough, I found an old PC running bind 9.10 I put the same configuration and it does resolves this host correctly. 

My questions:
 - Am I doing something wrong ?
 - how can I enable query trace on bind ?

here is the configuration:
named.conf

```
logging {
    channel querylog{
                file "/var/log/bind.log" versions 3 size 5m;
                severity debug 3;
                print-category yes;
                print-time yes;
                print-severity yes;
    };

    category queries {
                querylog;
    };
};


options {
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        #filter-aaaa-on-v4 yes;
        #dnssec-validation no;

        # Query logging
        querylog yes;
        recursion yes;

        allow-query { any; };
        #allow-recursion { localhost; 10.51.0.0/24; 127.0.0.1; };
        allow-recursion { any; };
        allow-query-cache { any; };

        listen-on       { 127.0.0.1; 10.51.0.1; };
        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

/*
        forwarders {
                1.1.1.1;
        };
*/
};
```

Thanks


----------



## SirDice (Aug 29, 2019)

What does `drill @127.0.0.1  kb.isc.org` output?



nerozero said:


> how can I enable query trace on bind ?


You already have? It's in your config (`channel querylog`). So check /var/log/bind.log. This path is relative to /var/named if you use chroot.

My config is slightly different:

```
logging {
        channel syslog_errors {syslog daemon; severity info; };
        channel debug_file {file "/var/log/named_debug.log" versions 3 size 1m; severity dynamic;};
        category queries {debug_file; };
        category resolver { null; };
};
```
Because I run BIND in chroot that log file is actually /var/named/var/log/named_debug.log. 
Example entry:

```
client @0x8049f3800 192.168.11.197#25352 (grafana.com): view internal: query: grafana.com IN AAAA + (192.168.10.1)
client @0x8049f3800 192.168.11.197#60586 (grafana.com): view internal: query: grafana.com IN A + (192.168.10.1)
```


----------



## nerozero (Aug 29, 2019)

SirDice, Thanks for quick reply

never know about drill command, but it seems to have the same output as dig does


```
drill @127.0.0.1 kb.isc.org
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 61151
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; kb.isc.org.    IN    A

;; ANSWER SECTION:
kb.isc.org.    60    IN    CNAME    kb-isc.document360.io.
kb-isc.document360.io.    300    IN    CNAME    document360-user-website.azurewebsites.net.

;; AUTHORITY SECTION:
azurewebsites.net.    86400    IN    SOA    ns1.azurewebsites.net. your.email.address. 2018103101 7200 7200 2419200 86400

;; ADDITIONAL SECTION:

;; Query time: 473 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Aug 29 16:59:20 2019
;; MSG SIZE  rcvd: 177
```

here is the trace output of the dig:


Spoiler: dig +trace +all kb.isc.org @localhost





```
; <<>> DiG 9.14.5 <<>> +trace +all kb.isc.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13862
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 63212267a26ab56503ac84425d67c553344d4ea98bb39b62 (good)
;; QUESTION SECTION:
;.                IN    NS

;; ANSWER SECTION:
.            514970    IN    NS    k.root-servers.net.
.            514970    IN    NS    m.root-servers.net.
.            514970    IN    NS    h.root-servers.net.
.            514970    IN    NS    b.root-servers.net.
.            514970    IN    NS    g.root-servers.net.
.            514970    IN    NS    d.root-servers.net.
.            514970    IN    NS    c.root-servers.net.
.            514970    IN    NS    f.root-servers.net.
.            514970    IN    NS    e.root-servers.net.
.            514970    IN    NS    i.root-servers.net.
.            514970    IN    NS    j.root-servers.net.
.            514970    IN    NS    a.root-servers.net.
.            514970    IN    NS    l.root-servers.net.
.            514970    IN    RRSIG    NS 8 0 518400 20190911050000 20190829040000 59944 . kEB5s4fNwxESdOWS0VmpeCW+uZ47gBxlRsZewtqJgd4KcKSYBXRLDDip fhtiHqlNjvjlMpKAPxaGTIftEQo36Ld4utsrycLyhKJtjegMQw3Fq+w3 Ct6BbJaZfTHqY/IOz9M3KKQQd0qblZsLT/oNKeo5daDDUG6S1e9+HCUU bgIkFGR1uGvwqIryxVH2g6opoeRMduNiBaItzmX+15T4+YSqalhudf44 HTeqvggOIzHfACBCZmmJ3wer4FiPU4QdcBelAXNzLi0NzgDLR1H2Ckz8 nwrjJ17Vl2AdT/bUBJofymXfvoAznQbVnr0L8NF1HdNiAWyBtGrkFGOO DLrTnA==

;; ADDITIONAL SECTION:
a.root-servers.net.    602031    IN    A    198.41.0.4
b.root-servers.net.    602031    IN    A    199.9.14.201
c.root-servers.net.    602031    IN    A    192.33.4.12
d.root-servers.net.    602031    IN    A    199.7.91.13
e.root-servers.net.    602031    IN    A    192.203.230.10
f.root-servers.net.    602031    IN    A    192.5.5.241
g.root-servers.net.    602031    IN    A    192.112.36.4
h.root-servers.net.    602031    IN    A    198.97.190.53
i.root-servers.net.    602031    IN    A    192.36.148.17
j.root-servers.net.    602031    IN    A    192.58.128.30
k.root-servers.net.    602031    IN    A    193.0.14.129
l.root-servers.net.    602031    IN    A    199.7.83.42
m.root-servers.net.    602031    IN    A    202.12.27.33
a.root-servers.net.    170031    IN    AAAA    2001:503:ba3e::2:30
b.root-servers.net.    170031    IN    AAAA    2001:500:200::b
c.root-servers.net.    170031    IN    AAAA    2001:500:2::c
d.root-servers.net.    170031    IN    AAAA    2001:500:2d::d
e.root-servers.net.    170031    IN    AAAA    2001:500:a8::e
f.root-servers.net.    170031    IN    AAAA    2001:500:2f::f
g.root-servers.net.    170031    IN    AAAA    2001:500:12::d0d
h.root-servers.net.    170031    IN    AAAA    2001:500:1::53
i.root-servers.net.    170031    IN    AAAA    2001:7fe::53
j.root-servers.net.    170031    IN    AAAA    2001:503:c27::2:30
k.root-servers.net.    170031    IN    AAAA    2001:7fd::1
l.root-servers.net.    170031    IN    AAAA    2001:500:9f::42
m.root-servers.net.    170031    IN    AAAA    2001:dc3::35

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 29 16:30:11 +04 2019
;; MSG SIZE  rcvd: 1137

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16846
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;kb.isc.org.            IN    A

;; AUTHORITY SECTION:
org.            172800    IN    NS    a0.org.afilias-nst.info.
org.            172800    IN    NS    b0.org.afilias-nst.org.
org.            172800    IN    NS    c0.org.afilias-nst.info.
org.            172800    IN    NS    b2.org.afilias-nst.org.
org.            172800    IN    NS    a2.org.afilias-nst.info.
org.            172800    IN    NS    d0.org.afilias-nst.org.
org.            86400    IN    DS    9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982
org.            86400    IN    DS    9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
org.            86400    IN    RRSIG    DS 8 1 86400 20190911050000 20190829040000 59944 . Q6OK2uiY2o1ugM1xlQH5mrvuoPvtEjrAbgtQkNfqLRX8Is7paeV8BRDM Pr5fhOzURI+XQoGXJkY7llfknZL6WmmhDN8adNFSmIoJM/ZcJXRhfAGu 9MTYJSa/PhTXQgUtPqiAaG6u6L8xjtMUtd18+zBCtQN0cHYr+95HsRCu 0jThd0a9tJTPQqWbvFOLoflstafO64/ZYodIQaiwJfhfzh2lbG9wXffy SMh9OFo0nyCoqztytwl6rVTc4mmE5NnX4RvCIzbwp1dOwoD1WRrdndqe Xocq2WFOnZiFCrRScJp40NJ/BGHVP3zqFhnBuhMF5ALdvysgjNFGeXB1 1I9L1Q==

;; ADDITIONAL SECTION:
d0.org.afilias-nst.org.    172800    IN    A    199.19.57.1
c0.org.afilias-nst.info. 172800    IN    A    199.19.53.1
b2.org.afilias-nst.org.    172800    IN    A    199.249.120.1
b0.org.afilias-nst.org.    172800    IN    A    199.19.54.1
a2.org.afilias-nst.info. 172800    IN    A    199.249.112.1
a0.org.afilias-nst.info. 172800    IN    A    199.19.56.1
d0.org.afilias-nst.org.    172800    IN    AAAA    2001:500:f::1
c0.org.afilias-nst.info. 172800    IN    AAAA    2001:500:b::1
b2.org.afilias-nst.org.    172800    IN    AAAA    2001:500:48::1
b0.org.afilias-nst.org.    172800    IN    AAAA    2001:500:c::1
a2.org.afilias-nst.info. 172800    IN    AAAA    2001:500:40::1
a0.org.afilias-nst.info. 172800    IN    AAAA    2001:500:e::1

;; Query time: 46 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Thu Aug 29 16:30:11 +04 2019
;; MSG SIZE  rcvd: 818

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38475
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;kb.isc.org.            IN    A

;; AUTHORITY SECTION:
isc.org.        86400    IN    NS    ns.isc.afilias-nst.info.
isc.org.        86400    IN    NS    ams.sns-pb.isc.org.
isc.org.        86400    IN    NS    ord.sns-pb.isc.org.
isc.org.        86400    IN    NS    sfba.sns-pb.isc.org.
isc.org.        86400    IN    DS    7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
isc.org.        86400    IN    DS    12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org.        86400    IN    DS    12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.        86400    IN    RRSIG    DS 7 2 86400 20190915152819 20190825142819 44078 org. B3IoUPoeRqIP1Pr4FM/dnGvJ6SFyPVhdKNLaBAQQopbhmO3kMP9rDj4Y HSr6OPmJOIEh6+pihfInttaIf3N577RsVz+hpykL+IJyJlSc0rxcGk7I 2zocvN2cR7oGIDQfHDVw4yYChHH62CwhO4SOqACBIKy0F3AwnZgJJAkl zRI=

;; ADDITIONAL SECTION:
ams.sns-pb.isc.org.    86400    IN    A    199.6.1.30
ord.sns-pb.isc.org.    86400    IN    A    199.6.0.30
sfba.sns-pb.isc.org.    86400    IN    A    149.20.64.3
ams.sns-pb.isc.org.    86400    IN    AAAA    2001:500:60::30
ord.sns-pb.isc.org.    86400    IN    AAAA    2001:500:71::30
sfba.sns-pb.isc.org.    86400    IN    AAAA    2001:4f8:0:2::19

;; Query time: 45 msec
;; SERVER: 199.249.112.1#53(199.249.112.1)
;; WHEN: Thu Aug 29 16:30:11 +04 2019
;; MSG SIZE  rcvd: 565

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63571
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;kb.isc.org.            IN    A

;; ANSWER SECTION:
kb.isc.org.        60    IN    CNAME    kb-isc.document360.io.
kb.isc.org.        60    IN    RRSIG    CNAME 5 3 60 20190927010812 20190828010006 28347 isc.org. AhPo7oC5hULTkTE0lp4tSVYvBWKL5XAnKpNjYiecexb3wFZI8dsH5Erw EQECF10oDEcEAJTLlNqYrPVW5wzcECpbxH9pTQHZPj+VOBrKz75x03Hk leFsFQ+yiK7pQ4TMb2lNV+XmStELjeY+lQLj8oXAKU0jEgObdSsenk4K xJQ=
kb.isc.org.        60    IN    RRSIG    CNAME 13 3 60 20190927010812 20190828010006 27566 isc.org. AJpJDZdT2WmguE0JGvVGAdRRdvItgESn9dqTCI7TNxKEKEv1VtfStQ1w z20F0+dyJv9uXOPgAwOJMHWFzqpKOg==

;; Query time: 78 msec
;; SERVER: 199.6.1.30#53(199.6.1.30)
;; WHEN: Thu Aug 29 16:30:12 +04 2019
;; MSG SIZE  rcvd: 344
```


----------



## SirDice (Aug 29, 2019)

nerozero said:


> never know about drill command, but it seems to have the same output as dig does


It is quite similar, yes. The drill(1) command was added as a replacement when BIND got removed from the base.  

Here's the output from my server, where it just works. But I have BIND 9.11:

```
dice@maelcum:~ % drill @127.0.0.1 kb.isc.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 24683
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;; kb.isc.org.  IN      A

;; ANSWER SECTION:
kb.isc.org.     60      IN      CNAME   kb-isc.document360.io.
kb-isc.document360.io.  300     IN      CNAME   document360-user-website.azurewebsites.net.
document360-user-website.azurewebsites.net.     1800    IN      CNAME   waws-prod-am2-079.vip.azurewebsites.windows.net.
waws-prod-am2-079.vip.azurewebsites.windows.net.        300     IN      CNAME   waws-prod-am2-079.cloudapp.net.
waws-prod-am2-079.cloudapp.net. 60      IN      A       104.40.179.243

;; AUTHORITY SECTION:
cloudapp.net.   24784   IN      NS      ns1prod.18.azuredns-prd.org.
cloudapp.net.   24784   IN      NS      ns2prod.18.azuredns-prd.org.
cloudapp.net.   24784   IN      NS      ns2prod.18.azuredns-prd.info.
cloudapp.net.   24784   IN      NS      ns1prod.18.azuredns-prd.info.

;; ADDITIONAL SECTION:
ns1prod.18.azuredns-prd.org.    2514    IN      A       40.90.4.201
ns1prod.18.azuredns-prd.info.   2514    IN      A       13.107.24.201
ns2prod.18.azuredns-prd.org.    2514    IN      A       64.4.48.201
ns2prod.18.azuredns-prd.info.   2514    IN      A       13.107.160.201

;; Query time: 166 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Aug 29 15:12:06 2019
;; MSG SIZE  rcvd: 422
```

In your case it seems to stop resolving after the second CNAME and document360-user-website.azurewebsites.net isn't resolved.


----------



## nerozero (Aug 29, 2019)

SirDice, I got this log, but it doesn't show any useful information that can tall me about the issue... 
If you have bind running on your system, could you please try to resolve this host?


----------



## SirDice (Aug 29, 2019)

nerozero said:


> If you have bind running on your system, could you please try to resolve this host?


See above. But I have BIND 9.11 though.


----------



## nerozero (Aug 29, 2019)

SirDice, Sorry I posted and I saw notification later... 
It is weird, why I didn't get an A record??  I just changed bind to 9.11 (BIND 9.11.10 (Extended Support Version) <id:9390ecc>) and I have the same result - unable to resolve this host!


```
dig @127.0.0.1 kb.isc.org

; <<>> DiG 9.14.5 <<>> @127.0.0.1 kb.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42573
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b5e8ce35c1bcfd8ed6ece1f15d67d36916fae3e0fd206e35 (good)
;; QUESTION SECTION:
;kb.isc.org.            IN    A

;; ANSWER SECTION:
kb.isc.org.        42    IN    CNAME    kb-isc.document360.io.
kb-isc.document360.io.    283    IN    CNAME    document360-user-website.azurewebsites.net.

;; AUTHORITY SECTION:
azurewebsites.net.    86400    IN    SOA    ns1.azurewebsites.net. your.email.address. 2018103101 7200 7200 2419200 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 29 17:30:17 +04 2019
;; MSG SIZE  rcvd: 216
```

if you not mind, can you share your option section named.conf ?


----------



## olli@ (Aug 29, 2019)

Not sure if this is related, but the DNS setup at isc.org doesn't seem to be 100 % correct:
https://mxtoolbox.com/SuperTool.aspx?action=dns:kb.isc.org&run=toolpage
Quote from the results:

*Bad Glue Detected*
Parent server gave glue for kb.isc.org to be kb-isc.document360.io but we resolve that hostname to 104.40.179.243
*At least one name server failed to respond in a timely manner*
Failure detail: 104.40.179.243
*Local NS list does not match Parent NS list*
199.6.1.30 was reported by the parent, but not locally
199.254.63.254 was reported by the parent, but not locally
199.6.0.30 was reported by the parent, but not locally
149.20.64.3 was reported by the parent, but not locally
104.40.179.243 was reported locally, but not by the parent
*Serial numbers do not match*


----------



## SirDice (Aug 29, 2019)

The only major difference I can spot is that I use different views. But my 'internal' view is configured the same as yours. 


```
view "internal" {
        match-clients { mynetwork; };
        allow-transfer { mynetwork; };
        recursion yes;

        // The traditional root hints mechanism. Use this, OR the slave zones below.
        zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

{..} # A whole bunch of empty zones

       # Some local zones
  
}
```

The mynetwork is an ACL containing a list of internal address ranges.


----------



## nerozero (Aug 29, 2019)

olli@, Hm...
That doesn't explain why SirDice can resove this host and I do not. But SirDice could you please also run `rndc flush` and show query again?

SirDice, Nothing special in your config....  Thanks...


----------



## SirDice (Aug 29, 2019)

Looks like olli@ might be on the right track. I was thinking, "I should flush my cache"... 

And..

```
root@maelcum:~ # rndc flush
root@maelcum:~ # drill @127.0.0.1 kb.isc.org
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 8506
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; kb.isc.org.  IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 10001 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Aug 29 16:01:50 2019
;; MSG SIZE  rcvd: 28
```
Probably a bit too quick to test, because everything failed to resolve. Oops 
A few minutes later though:

```
root@maelcum:~ # drill @127.0.0.1 kb.isc.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19686
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;; kb.isc.org.  IN      A

;; ANSWER SECTION:
kb.isc.org.     39      IN      CNAME   kb-isc.document360.io.
kb-isc.document360.io.  287     IN      CNAME   document360-user-website.azurewebsites.net.
document360-user-website.azurewebsites.net.     1788    IN      CNAME   waws-prod-am2-079.vip.azurewebsites.windows.net.
waws-prod-am2-079.vip.azurewebsites.windows.net.        289     IN      CNAME   waws-prod-am2-079.cloudapp.net.
waws-prod-am2-079.cloudapp.net. 52      IN      A       104.40.179.243

;; AUTHORITY SECTION:
cloudapp.net.   172789  IN      NS      ns2prod.18.azuredns-prd.org.
cloudapp.net.   172789  IN      NS      ns1prod.18.azuredns-prd.info.
cloudapp.net.   172789  IN      NS      ns1prod.18.azuredns-prd.org.
cloudapp.net.   172789  IN      NS      ns2prod.18.azuredns-prd.info.

;; ADDITIONAL SECTION:
ns1prod.18.azuredns-prd.org.    3592    IN      A       40.90.4.201
ns1prod.18.azuredns-prd.info.   3592    IN      A       13.107.24.201
ns2prod.18.azuredns-prd.org.    3592    IN      A       64.4.48.201
ns2prod.18.azuredns-prd.info.   3592    IN      A       13.107.160.201

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Aug 29 16:05:02 2019
;; MSG SIZE  rcvd: 422
```


----------



## gkontos (Aug 29, 2019)

I don't think the problem is with your DNS server

`~gkontos$ dig @8.8.8.8 kb.isc.org`



```
; <<>> DiG 9.10.6 <<>> @8.8.8.8 kb.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43444
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;kb.isc.org.            IN    A

;; ANSWER SECTION:
kb.isc.org.        59    IN    CNAME    kb-isc.document360.io.
kb-isc.document360.io.    299    IN    CNAME    document360-user-website.azurewebsites.net.
document360-user-website.azurewebsites.net. 1799 IN CNAME waws-prod-am2-079.vip.azurewebsites.windows.net.
waws-prod-am2-079.vip.azurewebsites.windows.net. 299 IN    CNAME waws-prod-am2-079.cloudapp.net.
waws-prod-am2-079.cloudapp.net.    59 IN    A    104.40.179.243

;; Query time: 515 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 29 17:05:41 EEST 2019
;; MSG SIZE  rcvd: 245
```


----------



## nerozero (Aug 29, 2019)

Hm, now I get the response ....  This is weird ..... 


```
host kb.isc.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

kb.isc.org is an alias for kb-isc.document360.io.
kb-isc.document360.io is an alias for document360-user-website.azurewebsites.net.
document360-user-website.azurewebsites.net is an alias for waws-prod-am2-079.vip.azurewebsites.windows.net.
waws-prod-am2-079.vip.azurewebsites.windows.net is an alias for waws-prod-am2-079.cloudapp.net.
waws-prod-am2-079.cloudapp.net has address 104.40.179.243
```


----------



## olli@ (Aug 29, 2019)

It seems that ISC's name servers are out of sync (message “serial numbers do not match”). That might explain why you folks see different results – It depends on which name server you happen to hit.


----------



## nerozero (Aug 29, 2019)

Guys! THANK YOU!!!!! You are great!!!!


----------

