System nameservers found but unusable?

  • DNS Benchmark v2 Release 5 with Consultant License
    Guest:
    If you own any earlier release of our DNS Benchmark you may immediately download its release #5 replacement. Running an earlier release will detect the new release and help you upgrade.

    Although this release is cosmetic, appearance matters and affects ease of use. The biggest change, as seen in the image above, is that the DNS Benchmark now has a traditional Windows application menu to more fully expose its many features. This release is also "Consultant License Aware" and GRC will now issue a Consultant version when owners have previously purchased four "Personal Use" licenses. If you have previously purchased four DNSB licenses, or if you wish to upgrade your "Personal Use" license to Consultant, GRC's purchase process will direct you through that process.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

humke

humke

Member
Nov 9, 2023
18
2
NL
When I run DNS Benchmark (2 rel 3) my system's nameservers are found but not usable according to DNS Benchmark (red). The DNS service is provided by a Fortigate firewall in my home network. It resolves some internal names and forwards to internet DNS servers for everything else. Clients get an IPv4 and IPv6 address for the DNS server (192.168.... and fe80:....). When using these clients there are no issues to use the internet (look at me writing this post), but for some reason that I don't understand DNS Benchmark decides that these nameservers are not usable. How is the decision made to mark servers "red"?

As I was initially using Crossover/WINE on macOS I also tried form a Windows 11 machine which shows the same behavior.
 
humke said:
How is the decision made to mark servers "red"?
Click to expand...
Hmmm... The Benchmark asks those resolvers (all resolvers) to lookup the IP(s) of ISC.ORG. That's a benign domain that should not cause any trouble for anyone. The v1 DNS Benchmark has been using it since 2008 with no trouble that I know of. I wonder whether that might be causing trouble in your setup?

If you open a command prompt and issue the command: nslookup isc.org does that succeed?

Thanks!
 
nslookup does not seem to give issues.

Code: 
nslookup isc.org
Server:  sjlfw01.kklbk.nl
Address:  fe80::926c:acff:fec1:481e

Non-authoritative answer:
Name:    isc.org
Addresses:  2a04:4e42::729
          2a04:4e42:200::729
          2a04:4e42:400::729
          2a04:4e42:600::729
          151.101.130.217
          151.101.194.217
          151.101.2.217
          151.101.66.217

nslookup - 192.168.203.254
Default Server:  sjlfw01-203.kklbk.nl
Address:  192.168.203.254

> isc.org
Server:  sjlfw01-203.kklbk.nl
Address:  192.168.203.254

Non-authoritative answer:
Name:    isc.org
Addresses:  2a04:4e42::729
          2a04:4e42:200::729
          2a04:4e42:400::729
          2a04:4e42:600::729
          151.101.130.217
          151.101.194.217
          151.101.2.217
          151.101.66.217

Starting DNS Benchmark right after this nslookup test gives the situation as seen in the attached screeenshot.

After reading some of the DNS Benchmark documentation I just might going to change the configuration so the router supplies the internet resolvers to clients instead of its own, but still: these local resolvers should not be red in this case right? I doesn't feel like I am having any DNS issues when using my browser to surf the internet.

FYI: When reading some of the documentation I noticed that on https://www.grc.com/dns/configuring.htm the link to the OpenDNS guide pages does not work (404). And on https://www.grc.com/dns/features.htm in the last section, there is this sentence: "Note that it's not very large (only <error>KB) so it won't take long."
 

Attachments

  • dns-20251217-163351.png
    dns-20251217-163351.png
    161.7 KB · Views: 86
@humke — Ah!! “Server never replies to bad domains” is the reason for the RED marking. I should have asked you for a screenshot before anything else.

For whatever reason, neither of those DNS resolvers (unlike ALL of the others that are not marked RED) do not reply to a request for a nonexistent domain name. The proper resolver response is commonly known as "NX" or "NX Domain", meaning that the resolver affirmatively replies that the domain does not exist, or that there is no IP for the requested domain. But for some reason, your two system resolvers don't do that. They never reply.

The problem is that asking for a nonexistent domain is the only way for the benchmark to determine how long NON-CACHED replies will take since we need to know that the request being made is NOT in the resolver's cache. So asking for {random-string}.amazon.com requires the resolver being asked to lookup the nameserver for Amazon and ask it for the host name {random-string}, which we know won't exist.

Thus, the time required to do that tells us how well connected to the rest of the Internet the resolver being tested is.

But... if that resolver DROPS any "NX Domain" replies it receives from upstream nameservers, we never get a reply from a request for a bad host name or dotcom domain name, so we have no way of making this measurement.

So the benchmark really does need to use resolvers that will reply to nonexistent domains and so it marks those that do not — during its initial verification testing — RED to show that it's unable to benchmark them.
 
Maybe I am misunderstanding this, but I believe I do get replies from the local resolver even for bad domains.

Code: 
> www.nu.nl
Server:  UnKnown
Address:  192.168.203.254

Non-authoritative answer:
Name:    e67691.b.akamaiedge.net
Addresses:  2.16.6.198
          2.16.6.223
          2.16.6.222
          2.16.6.203
          2.16.6.226
Aliases:  www.nu.nl
          www.nu.nl.edgekey.net

> isc.org
Server:  UnKnown
Address:  192.168.203.254

Non-authoritative answer:
Name:    isc.org
Addresses:  2a04:4e42:600::729
          2a04:4e42:400::729
          2a04:4e42::729
          2a04:4e42:200::729
          151.101.2.217
          151.101.66.217
          151.101.130.217
          151.101.194.217

> oiewjfoiewjfoiewjfjweoifjewf.isc.org
Server:  UnKnown
Address:  192.168.203.254

*** UnKnown can't find oiewjfoiewjfoiewjfjweoifjewf.isc.org: Non-existent domain
> wodijawdoi.oiewjfoewfjwoiefj.ijrewgoegjiewo
Server:  UnKnown
Address:  192.168.203.254

*** UnKnown can't find wodijawdoi.oiewjfoewfjwoiefj.ijrewgoegjiewo: Non-existent domain

As before, when I run the benchmark, I get the red/does not reply to bad domains situation (attached a new screenshot).

I ran wireshark (on the same system as nslookup) to capture the nslookup traffic, which also shows the request and reply (including for bad domains). I have attached the capture as well.

When deliberately entering a bad domain in my browser, it does not hang but instantly tells me there is something wrong (Dutch, except for the last line):

Deze site is niet bereikbaar​

Het IP-adres van de server van oiubfweewofowfp94883te9rdyihrd.nu.nl kan niet worden gevonden.


Probeer dit eens:
ERR_NAME_NOT_RESOLVED

I mean, this is what we want from DNS right or I am I missing something here?
 

Attachments

  • dns-20251218-215851.png
    dns-20251218-215851.png
    216.8 KB · Views: 80
  • nslookup.zip
    1.6 KB · Views: 70
You must log in or register to reply here.

Similar threads

GreenWine
  • Contains 3 staff post(s)
This system has NO nameservers configured for its use.
Replies
9
Views
1K
DNS Benchmark
miquelfire
miquelfire
B
One or more of this system's 2 nameservers are dead!
Replies
2
Views
616
DNS Benchmark
BradB
B
lameduck
Nameserver returned invalid replies
Replies
9
Views
851
DNS Benchmark
PHolder
P
B
  • Contains 3 staff post(s)
No System Menu
Replies
8
Views
1K
DNS Benchmark
Steve
Steve
C
DNS Benchmark didn't notice the system DNS settings had been changed
Replies
1
Views
222
DNS Benchmark
Bplayer
B
Top Bottom
Back