-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am trying to debug a DNS issue we're having with a few domains, and I have run across some strange behavior. If I directly query their DNS using dig, I get a response. If, however, I let my DNS server ask (using a source port of 53), the query seems to drop into a black hole.
The "good" queries, generated by 'dig mx mwmg.com @<theirIP>
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:22:35.929965 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53: 64781+ MX? mwmg.com. (26) 16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774: 64781*- 2/5/5 mwmg.com. MX[|domain] 16:22:35.981553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53: 24533+ MX? mwmg.com. (26) 16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774: 24533*- 2/5/5 mwmg.com. MX[|domain] 16:22:36.041330 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53: 28663+ MX? mwmg.com. (26) 16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774: 28663*- 2/5/5 mwmg.com. MX[|domain] 16:22:36.091515 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53: 29634+ MX? mwmg.com. (26) 16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774: 29634*- 2/5/5 mwmg.com. MX[|domain]
The "bad" queries, when I let my DNS server do the asking for me:
16:23:13.273239 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53: 23036 [1au] MX? mwmg.com. (37) 16:23:15.277325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53: 64536 [1au] MX? mwmg.com. (37) 16:23:17.281891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53: 34458 [1au] MX? mwmg.com. (37) 16:23:19.286253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 35884 MX? mwmg.com. (26) 16:23:21.286655 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 65460 MX? mwmg.com. (26) 16:23:23.291087 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 59086 MX? mwmg.com. (26) 16:23:25.295724 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53: 5122 MX? mwmg.com. (26) 16:23:27.300226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 53089 MX? mwmg.com. (26) 16:23:29.304645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 12885 MX? mwmg.com. (26) 16:23:37.306880 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 21131 MX? mwmg.com. (26)
So...have folks started dropping traffic originating from port 53?!?
How did I miss this memo, or am I missing something obvious in the above?
- -- Charles Steinkuehler charles@steinkuehler.net
Is this your local DNS server, or an ISP DNS Server?
I've heard of some ISP's blocking incoming DNS queries unless they're on their local LAN (i.e. their IP subset). But this sounds more like a case of the DNS server in question having questionable firewall rules, or the DNS server is simply offline.
On Thu, Oct 14, 2010 at 4:29 PM, Charles Steinkuehler < charles@steinkuehler.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am trying to debug a DNS issue we're having with a few domains, and I have run across some strange behavior. If I directly query their DNS using dig, I get a response. If, however, I let my DNS server ask (using a source port of 53), the query seems to drop into a black hole.
The "good" queries, generated by 'dig mx mwmg.com @<theirIP>
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
16:22:35.929965 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53: 64781+ MX? mwmg.com. (26)
16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774: 64781*- 2/5/5 mwmg.com. MX[|domain]
16:22:35.981553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53: 24533+ MX? mwmg.com. (26)
16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774: 24533*- 2/5/5 mwmg.com. MX[|domain]
16:22:36.041330 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53: 28663+ MX? mwmg.com. (26)
16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774: 28663*- 2/5/5 mwmg.com. MX[|domain]
16:22:36.091515 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53: 29634+ MX? mwmg.com. (26)
16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774: 29634*- 2/5/5 mwmg.com. MX[|domain]
The "bad" queries, when I let my DNS server do the asking for me:
16:23:13.273239 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53: 23036 [1au] MX? mwmg.com. (37)
16:23:15.277325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53: 64536 [1au] MX? mwmg.com. (37)
16:23:17.281891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53: 34458 [1au] MX? mwmg.com. (37)
16:23:19.286253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 35884 MX? mwmg.com. (26)
16:23:21.286655 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 65460 MX? mwmg.com. (26)
16:23:23.291087 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 59086 MX? mwmg.com. (26)
16:23:25.295724 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53: 5122 MX? mwmg.com. (26)
16:23:27.300226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 53089 MX? mwmg.com. (26)
16:23:29.304645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 12885 MX? mwmg.com. (26)
16:23:37.306880 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 21131 MX? mwmg.com. (26)
So...have folks started dropping traffic originating from port 53?!?
How did I miss this memo, or am I missing something obvious in the above?
Charles Steinkuehler charles@steinkuehler.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAky3djQACgkQLywbqEHdNFxX0gCfchNpsCEkLQzc/hDncxDK/YGZ BToAn00jwPV7OT9UjQ4wyLKB/kGS7OqQ =oV+d -----END PGP SIGNATURE----- _______________________________________________ KCLUG mailing list KCLUG@kclug.org http://kclug.org/mailman/listinfo/kclug
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The DNS server asking the questions is local (well sitting in San Antonio, actually), is the master for newtek.com (among others) and is sitting on the 199.79.203.0/24 IP block we control (our ISP is actually secondary for several of our domains, and advertises routes for our IP block on our behalf).
Anyway, the issue is not related to firewall rules on our end or at our ISP, but it looks like the remote end (dns1-4.name-services.com) is dropping query traffic if the *SOURCE* port is 53 (or perhaps any low port?).
I have worked around the issue by removing the query port option from our named.conf which was specifying port 53 as the query source.
I just hadn't seen this behavior before, and am wondering if anyone else had seen this and if it is becoming common (like the port 25 blocks).
On 10/14/2010 4:40 PM, Joe Brouhard wrote:
Is this your local DNS server, or an ISP DNS Server?
I've heard of some ISP's blocking incoming DNS queries unless they're on their local LAN (i.e. their IP subset). But this sounds more like a case of the DNS server in question having questionable firewall rules, or the DNS server is simply offline.
On Thu, Oct 14, 2010 at 4:29 PM, Charles Steinkuehler < charles@steinkuehler.net> wrote:
I am trying to debug a DNS issue we're having with a few domains, and I have run across some strange behavior. If I directly query their DNS using dig, I get a response. If, however, I let my DNS server ask (using a source port of 53), the query seems to drop into a black hole.
The "good" queries, generated by 'dig mx mwmg.com @<theirIP>
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
16:22:35.929965 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53: 64781+ MX? mwmg.com. (26)
16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774: 64781*- 2/5/5 mwmg.com. MX[|domain]
16:22:35.981553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53: 24533+ MX? mwmg.com. (26)
16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774: 24533*- 2/5/5 mwmg.com. MX[|domain]
16:22:36.041330 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53: 28663+ MX? mwmg.com. (26)
16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774: 28663*- 2/5/5 mwmg.com. MX[|domain]
16:22:36.091515 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53: 29634+ MX? mwmg.com. (26)
16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none],
proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774: 29634*- 2/5/5 mwmg.com. MX[|domain]
The "bad" queries, when I let my DNS server do the asking for me:
16:23:13.273239 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53: 23036 [1au] MX? mwmg.com. (37)
16:23:15.277325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53: 64536 [1au] MX? mwmg.com. (37)
16:23:17.281891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53: 34458 [1au] MX? mwmg.com. (37)
16:23:19.286253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 35884 MX? mwmg.com. (26)
16:23:21.286655 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 65460 MX? mwmg.com. (26)
16:23:23.291087 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 59086 MX? mwmg.com. (26)
16:23:25.295724 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53: 5122 MX? mwmg.com. (26)
16:23:27.300226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 53089 MX? mwmg.com. (26)
16:23:29.304645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 12885 MX? mwmg.com. (26)
16:23:37.306880 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 21131 MX? mwmg.com. (26)
So...have folks started dropping traffic originating from port 53?!?
How did I miss this memo, or am I missing something obvious in the above?
_______________________________________________ KCLUG mailing list KCLUG@kclug.org http://kclug.org/mailman/listinfo/kclug
- -- Charles Steinkuehler charles@steinkuehler.net