Is this your local DNS server, or an ISP DNS Server?<div><br></div><div>I've heard of some ISP's blocking incoming DNS queries unless they're on their local LAN (i.e. their IP subset). But this sounds more like a case of the DNS server in question having questionable firewall rules, or the DNS server is simply offline.<br>
<br><div class="gmail_quote">On Thu, Oct 14, 2010 at 4:29 PM, Charles Steinkuehler <span dir="ltr"><<a href="mailto:charles@steinkuehler.net">charles@steinkuehler.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
I am trying to debug a DNS issue we're having with a few domains, and I<br>
have run across some strange behavior. If I directly query their DNS<br>
using dig, I get a response. If, however, I let my DNS server ask<br>
(using a source port of 53), the query seems to drop into a black hole.<br>
<br>
The "good" queries, generated by 'dig mx <a href="http://mwmg.com" target="_blank">mwmg.com</a> @<theirIP><br>
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br>
> 16:22:35.929965 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53: 64781+ MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774: 64781*- 2/5/5 <a href="http://mwmg.com" target="_blank">mwmg.com</a>. MX[|domain]<br>
> 16:22:35.981553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53: 24533+ MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774: 24533*- 2/5/5 <a href="http://mwmg.com" target="_blank">mwmg.com</a>. MX[|domain]<br>
> 16:22:36.041330 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53: 28663+ MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774: 28663*- 2/5/5 <a href="http://mwmg.com" target="_blank">mwmg.com</a>. MX[|domain]<br>
> 16:22:36.091515 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53: 29634+ MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774: 29634*- 2/5/5 <a href="http://mwmg.com" target="_blank">mwmg.com</a>. MX[|domain]<br>
<br>
The "bad" queries, when I let my DNS server do the asking for me:<br>
> 16:23:13.273239 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53: 23036 [1au] MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (37)<br>
> 16:23:15.277325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53: 64536 [1au] MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (37)<br>
> 16:23:17.281891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53: 34458 [1au] MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (37)<br>
> 16:23:19.286253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 35884 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:23:21.286655 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 65460 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:23:23.291087 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 59086 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:23:25.295724 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53: 5122 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:23:27.300226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 53089 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:23:29.304645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 12885 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
> 16:23:37.306880 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 21131 MX? <a href="http://mwmg.com" target="_blank">mwmg.com</a>. (26)<br>
<br>
So...have folks started dropping traffic originating from port 53?!?<br>
<br>
How did I miss this memo, or am I missing something obvious in the above?<br>
<br>
- --<br>
Charles Steinkuehler<br>
<a href="mailto:charles@steinkuehler.net">charles@steinkuehler.net</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.10 (MingW32)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
iEYEARECAAYFAky3djQACgkQLywbqEHdNFxX0gCfchNpsCEkLQzc/hDncxDK/YGZ<br>
BToAn00jwPV7OT9UjQ4wyLKB/kGS7OqQ<br>
=oV+d<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
KCLUG mailing list<br>
<a href="mailto:KCLUG@kclug.org">KCLUG@kclug.org</a><br>
<a href="http://kclug.org/mailman/listinfo/kclug" target="_blank">http://kclug.org/mailman/listinfo/kclug</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Joe Brouhard<br><a href="mailto:jbrouhard@gmail.com">jbrouhard@gmail.com</a><br>
</div>