dns server hangs on lookup

Question

We recently set up a new file server using a MacMini and Lion Server. After pain staking research to rectify a permissions issue, we are now having problems with the DNS server portion of the software. We upgraded from an old XServer running 10.4 that was set up as the DNS for our intranet. We changed the old server name and IP so as to be able to mimic all of the IP&#x27;s and server name on the new one. Once we unplug the old server from the network, our ability to use the internet or email is radically deminished. When I plug the old server back into the network, everything works great. Any ideas?

thomas_r. · Answer

You need to post this on the Mac OS X Lion Server forum.  This one is for the regular end-user version of Lion, and many folks here may have no experience whatsoever with the server, while everyone over there should.

Camelot · Answer

That&#x27;s impossible to answer without more information about the server setup, or at least an idea of the symptoms (e.g. what does dig or nslookup return when you try?)I&#x27;m guessing this is just a configuration issue. By default the DNS server is only configured to respond to zones that it&#x27;s responsible for (e.g. it won&#x27;t resolve other domains). You need to enable recursion or forwarding for your clients in order for the server to do this. You don&#x27;t state whether you&#x27;ve done that or not.

jimfromma · Answer

Let&#x27;s just say I&#x27;m not an IT expert, just a button pusher. I wasn&#x27;t here when the 10.4 XServe was set up, but it seems as though it was configured to be the Intranet DNS. So, when we set up the Lion Server we attempted to mirror all of the settings used on the 10.4 box. I just try&#x27;d the "dig" on both machines and get the exact same results on both machines.The problem is that I can&#x27;t unplug the old server from the network or it takes a gadzillion years to lookup an address when online, and our mail programs barely load messages.It seems sparatic, as 1 session online the sites will pop up at normal speed, then the lookup will take a minute or more.The one thing I do know is that the "Recursive" option is not readily available in 10.7 as it was in 10.4. Is there a secret to allowing recursive in 10.7?

Camelot · Answer

I just try&#x27;d the "dig" on both machines and get the exact same results on both machines.which was...? Knowing the specific messages returned from dig will be useful.The problem is that I can&#x27;t unplug the old server from the network or it takes a gadzillion years to lookup an address when online, and our mail programs barely load messages.You shouldn&#x27;t need to unplug and swap this live. There are at least two better ways of doing this.One is to install and configure the server at a different IP address and make sure it works there (including configuring a single client on the LAN to use this server for lookups), then swap servers once you&#x27;re sure.Another option is to configure the server at a new address and migrate services to it. If your LAN systems are all using DHCP then it&#x27;s a simple matter to change the DHCP server settings and wait for the new settings to propogate.The one thing I do know is that the "Recursive" option is not readily available in 10.7 as it was in 10.4. Is there a secret to allowing recursive in 10.7?Really? It looks the same to me.Server Admin -&gt; (server) -&gt; DNS -&gt; Settings -&gt; Accept recursive queries from the following networks:Add your local subnet to this list and the server will recursively answer lookups for your LAN clients.

jimfromma · Answer

This is probably a dumb question, but are the results of the dig command by any means private? Because this is an internal DNS, not sure what someone can make of it and the addresses within. I just don&#x27;t want to open my network by providing anything that would allow intrusion. Local subnet? Mask? 1st 3 with an opening?

jimfromma · Answer

Below are the results from using the scutil --dns. Note the difference in information given. Is there an option I need to add in 10.7 that wasn&#x27;t necessary in 10.4? Unix is unix is it not?Just to be clear, I don&#x27;t believe I need to set this up as a standalone DNS server, just using it to point to the ISP&#x27;s name server. (I believe)Lion Serverserver:etc lionserver$ scutil --dnsDNS configurationresolver #1  nameserver[0] : 192.9.200.4resolver #2  domain   : local  options  : mdns  timeout  : 5  order    : 300000resolver #3  domain   : 254.169.in-addr.arpa  options  : mdns  timeout  : 5  order    : 300200resolver #4  domain   : 8.e.f.ip6.arpa  options  : mdns  timeout  : 5  order    : 300400resolver #5  domain   : 9.e.f.ip6.arpa  options  : mdns  timeout  : 5  order    : 300600resolver #6  domain   : a.e.f.ip6.arpa  options  : mdns  timeout  : 5  order    : 300800resolver #7  domain   : b.e.f.ip6.arpa  options  : mdns  timeout  : 5  order    : 301000DNS configuration (for scoped queries)resolver #1  nameserver[0] : 192.9.200.4  if_index : 4 (en0)  flags    : Scopedserver:etc lionserver$ Old Server DNSserver:~ admin$ scutil --dnsDNS configurationresolver #1  nameserver[0] : 192.9.200.4  order   : 200000resolver #2  domain : local  nameserver[0] : 224.0.0.251  nameserver[1] : ff02::fb  options : attempts:4  port    : 5353  timeout : 2  order   : 300000resolver #3  domain : 254.169.in-addr.arpa  nameserver[0] : 224.0.0.251  nameserver[1] : ff02::fb  options : attempts:4  port    : 5353  timeout : 2  order   : 300001resolver #4  domain : 0.8.e.f.ip6.arpa  nameserver[0] : 224.0.0.251  nameserver[1] : ff02::fb  options : attempts:4  port    : 5353  timeout : 2  order   : 300002server:~ admin$ dig results; &lt;&lt;&gt;&gt; DiG 9.7.3-P3 &lt;&lt;&gt;&gt;;; global options: +cmd;; Got answer:;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 34346;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14;; QUESTION SECTION:;.                IN    NS;; ANSWER SECTION:.            515255    IN    NS    k.root-servers.net..            515255    IN    NS    m.root-servers.net..            515255    IN    NS    j.root-servers.net..            515255    IN    NS    d.root-servers.net..            515255    IN    NS    e.root-servers.net..            515255    IN    NS    b.root-servers.net..            515255    IN    NS    h.root-servers.net..            515255    IN    NS    l.root-servers.net..            515255    IN    NS    a.root-servers.net..            515255    IN    NS    f.root-servers.net..            515255    IN    NS    i.root-servers.net..            515255    IN    NS    c.root-servers.net..            515255    IN    NS    g.root-servers.net.;; ADDITIONAL SECTION:a.root-servers.net.    601655    IN    A    198.41.0.4a.root-servers.net.    601655    IN    AAAA    2001:503:ba3e::2:30b.root-servers.net.    601655    IN    A    192.228.79.201c.root-servers.net.    601655    IN    A    192.33.4.12d.root-servers.net.    601655    IN    A    128.8.10.90d.root-servers.net.    601655    IN    AAAA    2001:500:2d::de.root-servers.net.    601655    IN    A    192.203.230.10f.root-servers.net.    601655    IN    A    192.5.5.241f.root-servers.net.    601655    IN    AAAA    2001:500:2f::fg.root-servers.net.    601655    IN    A    192.112.36.4h.root-servers.net.    601655    IN    A    128.63.2.53h.root-servers.net.    601655    IN    AAAA    2001:500:1::803f:235i.root-servers.net.    601655    IN    A    192.36.148.17i.root-servers.net.    601655    IN    AAAA    2001:7fe::53;; Query time: 2 msec;; SERVER: 192.9.200.4#53(192.9.200.4);; WHEN: Fri Feb  3 12:47:07 2012;; MSG SIZE  rcvd: 512

Camelot · Answer

If this is internal then there&#x27;s no real issue - even if I learn, for example, that your internal DNS server is at 192.168.84.72 it means nothing - I can&#x27;t hit that, query it, or wean any information from it.If you want to mask your domain name, that&#x27;s fine.The example you posted, though, doesn&#x27;t help - you just ran &#x27;dig&#x27; but didn&#x27;t query any hostname, so all it returned were the public root servers (that everyone knows). Please re-post with examples of querys against both your own domains and a public/external hostname such as www.apple.com.

jimfromma · Answer

Ok, after reading up on the dig command, I was able to get some of the information you mentioned.From one of my Mac workstations I used the basic default query and came up with the following results.mac002:~ mac002$ dig server.millenniumpress.internal; &lt;&lt;&gt;&gt; DiG 9.6-ESV-R4-P3 &lt;&lt;&gt;&gt; server.millenniumpress.internal;; global options: +cmd;; Got answer:;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 28692;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0;; QUESTION SECTION:;server.millenniumpress.internal. IN    A;; ANSWER SECTION:server.millenniumpress.internal. 10800 IN A    192.9.200.4;; AUTHORITY SECTION:millenniumpress.internal. 10800    IN    NS    server.millenniumpress.internal.;; Query time: 0 msec;; SERVER: 192.9.200.4#53(192.9.200.4);; WHEN: Mon Feb  6 11:47:11 2012;; MSG SIZE  rcvd: 792.mac002:~ mac002$ dig yahoo.com; &lt;&lt;&gt;&gt; DiG 9.6-ESV-R4-P3 &lt;&lt;&gt;&gt; yahoo.com;; global options: +cmd;; Got answer:;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 50105;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;yahoo.com.            IN    A;; ANSWER SECTION:yahoo.com.        3317    IN    A    72.30.2.43yahoo.com.        3317    IN    A    98.137.149.56yahoo.com.        3317    IN    A    98.139.180.149yahoo.com.        3317    IN    A    209.191.122.70;; Query time: 15 msec;; SERVER: 192.9.200.5#53(192.9.200.5);; WHEN: Mon Feb  6 11:43:24 2012;; MSG SIZE  rcvd: 91then, I ran this one again  (?)mac002:~ mac002$ dig yahoo.com; &lt;&lt;&gt;&gt; DiG 9.6-ESV-R4-P3 &lt;&lt;&gt;&gt; yahoo.com;; global options: +cmd;; Got answer:;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 7239;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 7, ADDITIONAL: 7;; QUESTION SECTION:;yahoo.com.            IN    A;; ANSWER SECTION:yahoo.com.        3078    IN    A    98.137.149.56yahoo.com.        3078    IN    A    98.139.180.149yahoo.com.        3078    IN    A    209.191.122.70yahoo.com.        3078    IN    A    72.30.2.43;; AUTHORITY SECTION:yahoo.com.        93280    IN    NS    ns2.yahoo.com.yahoo.com.        93280    IN    NS    ns6.yahoo.com.yahoo.com.        93280    IN    NS    ns4.yahoo.com.yahoo.com.        93280    IN    NS    ns8.yahoo.com.yahoo.com.        93280    IN    NS    ns5.yahoo.com.yahoo.com.        93280    IN    NS    ns3.yahoo.com.yahoo.com.        93280    IN    NS    ns1.yahoo.com.;; ADDITIONAL SECTION:ns1.yahoo.com.        89645    IN    A    68.180.131.16ns2.yahoo.com.        89645    IN    A    68.142.255.16ns3.yahoo.com.        89645    IN    A    121.101.152.99ns4.yahoo.com.        89645    IN    A    68.142.196.63ns5.yahoo.com.        89645    IN    A    119.160.247.124ns6.yahoo.com.        96874    IN    A    202.43.223.170ns8.yahoo.com.        96874    IN    A    202.165.104.22;; Query time: 0 msec;; SERVER: 192.9.200.4#53(192.9.200.4);; WHEN: Mon Feb  6 11:52:14 2012;; MSG SIZE  rcvd: 329Note the Query time.When I turn off the DNS services on the old server(192.9.200.5), this is the query time. It still goes out but...;; Query time: 5234 msec;; SERVER: 192.9.200.4#53(192.9.200.4);; WHEN: Mon Feb  6 12:06:31 2012;; MSG SIZE  rcvd: 249

jimfromma · Answer

Some addition information when I did a reverse lookup after turning the DNS services back on the old server.mac002:~ mac002$ dig -x 192.9.200.5; &lt;&lt;&gt;&gt; DiG 9.6-ESV-R4-P3 &lt;&lt;&gt;&gt; -x 192.9.200.5;; global options: +cmd;; Got answer:;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 54834;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0;; QUESTION SECTION:;5.200.9.192.in-addr.arpa.    IN    PTR;; AUTHORITY SECTION:200.9.192.in-addr.arpa.    10800    IN    SOA    200.9.192.in-addr.arpa. admin.200.9.192.in-addr.arpa. 2012020103 86400 3600 604800 345600;; Query time: 0 msec;; SERVER: 192.9.200.4#53(192.9.200.4);; WHEN: Mon Feb  6 12:17:25 2012;; MSG SIZE  rcvd: 84mac002:~ mac002$ dig -x 192.9.200.4; &lt;&lt;&gt;&gt; DiG 9.6-ESV-R4-P3 &lt;&lt;&gt;&gt; -x 192.9.200.4;; global options: +cmd;; Got answer:;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 62308;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:;4.200.9.192.in-addr.arpa.    IN    PTR;; ANSWER SECTION:4.200.9.192.in-addr.arpa. 10800    IN    PTR    Server.millenniumpress.internal.;; AUTHORITY SECTION:200.9.192.in-addr.arpa.    10800    IN    NS    Server.millenniumpress.internal.;; ADDITIONAL SECTION:Server.millenniumpress.internal. 10800 IN A    192.9.200.4;; Query time: 0 msec;; SERVER: 192.9.200.4#53(192.9.200.4);; WHEN: Mon Feb  6 12:17:54 2012;; MSG SIZE  rcvd: 117

Camelot · Answer

OK, that helps some, but doesn&#x27;t make too much sense - yet.Can you clarify the relationship between the two DNS servers at 192.9.200.4 and 192.9.200.5. Did you change these numbers, or are they your real server addresses?

jimfromma · Answer

192.9.200.4 is the ip for the new server, which was taken from the old server after we changed the old server to 192.9.200.5

Camelot · Answer

So these are public DNS servers? serving your .internal domain? and you work for Sun/Oracle (because that&#x27;s who &#x27;owns&#x27; the 192.9.x.x network)?From the data posted so far I&#x27;m going to hazard a guess that the .4 server is configured to use .5 as a forwarder, so queries to .4 are being passed to .5 for resolution. That&#x27;s just a guess, though. It certainly points to some configuration error, but it&#x27;s going to be hard to troubleshoot that without revealing more about your network/server setup than you might be comfortable with.

jimfromma · Answer

Actually, they are not public DNS servers, only internal and no I don&#x27;t work for Sun/Oracle and have no idea where they got hte 192.9 network id. This network was set up long before I arrived here. I am pretty sure I don&#x27;t have forwarders even setup.