Messaging Gateway

 View Only
Back to discussions
Expand all | Collapse all

cannot execute nslookup -- *** Invalid option: silent

  • 1.  cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 10:47 AM
      |   view attached

    Hello, 

    Looking for assistance on the below issue regarding intermittent nslookup failure when using internal servers that are reachable per ping tests at the same time failure is occurring. 

    See attached screen shot for examples of the CLI error,  logs observed and WebGUI error.





  • 2.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 10:58 AM
    Pics. Please


    Original Message


  • 3.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 11:14 AM
    They should be attached. LMK if can see them?
    Original Message


  • 4.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 11:49 AM
    Me no see pics.


    Original Message


  • 5.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 11:53 AM
    That's odd you can't see.. I added to the thread's attachments. Hopefully you can see the image added to this reply.

    ScreenShot

    Original Message


  • 6.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 11:54 AM
    What are your Ethernet settings. Show us a pic.


    Original Message


  • 7.  RE: cannot execute nslookup -- *** Invalid option: silent

    Broadcom Employee
    Posted Oct 03, 2022 12:05 PM
    Not sure what the "silent server" business is all about, but it does look like you are getting the correct response from the query.
    What happens if you include a tlld  (e.g. gmail.com  or "exchang.mycorp.com", or some such)?
    Original Message


  • 8.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 01:10 PM
    Edited by Tyler Hehman Oct 03, 2022 01:10 PM
    Hello, 

    Last week nslookups were failing and we could not resolve any internal host names. Why is the nslookup reverting to localhost rather than the primary dns server? Also we are doing lookups with FQDN. I just edited out our organizations info.

    > ^Cpssmgsmtp [10.7.5-4]> dns-control list
    10.10.131.75
    10.10.130.3
    8.8.8.8
    Command 'list' completed successfully.
    Cpssmgsmtp [10.7.5-4]> nslookup
    > server
    Default server: 127.0.0.1
    Address: 127.0.0.1#53



    Original Message


  • 9.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 01:11 PM
    In the cli 127.0.0.1 is the actual representation of your ips for dns.


    Original Message


  • 10.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 01:23 PM
    Here is what we got from the CLI when nslookups were failing.


    Original Message


  • 11.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 01:37 PM
    Then try another and see success


    Original Message


  • 12.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 02:26 PM
    Hello all, 

    I've caught it in the act!!! We have made no SMG leave or Linux config changes. See below CLI outputs. 



    --------------------NSLOOKUP Working-------------------------------------

    pssmgsmtp [10.7.5-4]> nslookup
    *** Invalid option: silent
    > exchange.contoso.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: exchange.contoso.org
    Address: 10.10.131.8
    Name: exchange.contoso.org
    Address: 10.10.131.7
    Name: exchange.contoso.org
    Address: 10.10.131.5
    Name: exchange.contoso.org
    Address: 10.10.131.6
    ** server can't find exchange.contoso.org: NXDOMAIN
    >

    _-------------------------------Now nslookup is Failing--------------No Config Changes----------

    pssmgsmtp [10.7.5-4]> nslookup
    *** Invalid option: silent
    > exchange.contoso.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    ** server can't find exchange.contoso.org: NXDOMAIN
    > server
    Default server: 127.0.0.1
    Address: 127.0.0.1#53
    > exchange.contoso.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    ** server can't find exchange.contoso.org: NXDOMAIN
    > relaymail.contoso.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    ** server can't find relaymail.contoso.org: NXDOMAIN
    > exit

    pssmgsmtp [10.7.5-4]> dns-control status
    version: BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 (Extended Support Version) < id:7107deb> (Version response disabled)
    running on pssmgsmtp.contoso.org: Linux x86_64 3.10.0-1160.36.2.el7.x86_64 #1 SMP We d Jul 21 11:57:15 UTC 2021
    boot time: Wed, 31 Aug 2022 20:49:57 GMT
    last configured: Wed, 31 Aug 2022 20:49:57 GMT
    configuration file: /etc/named.conf
    CPUs found: 2
    worker threads: 2
    UDP listeners per interface: 1
    number of zones: 1 (0 automatic)
    debug level: 0
    xfers running: 0
    xfers deferred: 0
    soa queries in progress: 0
    query logging is OFF
    recursive clients: 0/900/1000
    tcp clients: 2/150
    server is up and running
    Command 'status' completed successfully.


    pssmgsmtp [10.7.5-4]> dns-control list
    10.10.131.75
    10.10.130.3
    8.8.8.8
    Command 'list' completed successfully.


    pssmgsmtp [10.7.5-4]> nslookup
    *** Invalid option: silent
    > exhange.contoso.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    ** server can't find exhange.contoso.org: NXDOMAIN
    > exchange.contoso.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    ** server can't find exchange.contoso.org: NXDOMAIN
    >
    Original Message


  • 13.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 04:32 PM
    So was I right?


    Original Message


  • 14.  RE: cannot execute nslookup -- *** Invalid option: silent

    Broadcom Employee
    Posted Oct 03, 2022 05:22 PM
    I have a feeling that the underlying issue might be related to a misunderstanding of how DNS works with SMG, the key is that you are seeing this intermittently (I think the "Invalid option: silent" is not related and is something that can be ignored).

    First off, how the lookups work: 
    SMG has a local caching DNS server that is queried first (127.0.0.1). If the result lives in the cache and the it has not expired, then the cache result is returned. If it is not found or has expired, then SMG will reach out to *one* of the configured DNS servers to request the answer.

    Second, how the configured DNS servers are used:
    This is the important part that is often misunderstood. Notice that I highlighted that only one of the DNS servers from the configured list is used. Here is the help entry for the DNS configuration:
    Initially, all servers that you specify have the same precedence. Symantec Messaging Gateway queries the DNS servers in the list, notes the round trip time (RTT) for each server and begins to favor the DNS server with the lowest RTT value. If that server becomes slow or unresponsive, DNS queries are routed to the next server on the list that has the lowest RTT, and so forth. The result is that the primary DNS server is the one that currently has the best RTT performance.

    So, as shown above, only one server is queried at a time until it is less performant. If that server cannot resolve a name, then that will persist until another DNS server is chosen based on responsiveness.

    In other words, if you have an internal name to resolve, but have an external DNS server in the list that does not have that name, then you will experience occasional lookup failures (or if you have multiple internal DNS servers with differing information).

    If you are using 10.7.4 or newer, you can use the tcpdump command to gather a packet capture of DNS data to validate  what is occuring. The above is one scenario that can cause what you are seeing but there are others. A packet capture will contain the answer (there is a KB on tcpdump usage). I also recommend opening a support case if you continue to have issues.

    ------------------------------
    ---------------------------------------------
    Support Engineer
    * Integrated Cyber Defense Exchange
    * Messaging Gateway
    * Packet Shaper
    Symantec Enterprise Division
    Broadcom Software
    ------------------------------

    Original Message


  • 15.  RE: cannot execute nslookup -- *** Invalid option: silent

    Posted Oct 03, 2022 05:23 PM
    Correct. I was right.


    Original Message