I have a friend whom has a problem with we believe DNS. In this case the ISP is NTL. He has a stateful firewall and is running NAT you can see from the tcp dump below that he sends the query to one DNS server but another responds thus breaking the firewall state and therefore it never resolves. Should the provider have the forwarding option on there servers or does he need to punch another hole in his firewall. cheers 09:23:01.216136 80.2.189.69.53 > 194.168.8.100.53: 54051+ [1au][|domain] (DF) 09:23:01.534353 194.168.4.100.53 > 80.2.189.69.53: 54051[|domain] (DF) 09:23:01.534618 80.2.189.69 > 194.168.4.100: icmp: 80.2.189.69 udp port 53 unreachable [tos 0xc0] 09:23:11.238123 80.2.189.69.53 > 194.168.8.100.53: 12113+ [1au][|domain] (DF) 09:23:11.414372 194.168.4.100.53 > 80.2.189.69.53: 12113[|domain] (DF) 09:23:11.414606 80.2.189.69 > 194.168.4.100: icmp: 80.2.189.69 udp port 53 unreachable [tos 0xc0] 09:23:19.634810 80.2.189.69.53 > 194.168.8.100.53: 9737+ [1au][|domain] (DF) 09:23:19.643883 194.168.4.100.53 > 80.2.189.69.53: 9737[|domain] (DF) 09:23:19.644127 80.2.189.69 > 194.168.4.100: icmp: 80.2.189.69 udp port 53 unreachable [tos 0xc0] Paul Gilbert Router Management Solutions, Inc. www.routermanagement.com work: 5167666068 mobile: 5164564983
(Can you turn off HTML when posting to lists? TIA) * paul@routermanagement.com (Paul Gilbert) [Fri 27 Aug 2004, 14:49 CEST]:
I have a friend whom has a problem with we believe DNS. In this case the ISP is NTL. He has a stateful firewall and is running NAT you can see from the tcp dump below that he sends the query to one DNS server but another responds thus breaking the firewall state and therefore it never resolves.
Breaking the DNS protocol, too - cf. BIND's old "Response from unexpected source" syslog messages. http://archives.neohapsis.com/archives/incidents/2000-02/0032.html http://archives.neohapsis.com/archives/incidents/2000-02/0044.html Haven't seen one of those in a while, actually - has BIND gotten better at binding sockets to specific interface addresses (it has) or has it stopped reporting such instances?
Should the provider have the forwarding option on there servers or does he need to punch another hole in his firewall.
Punching holes is not likely to work as it's NAT that breaks... -- Niels.
participants (2)
-
Niels Bakker
-
Paul Gilbert