NAT and Question Section Mismatch
John Wiles
john at iotis.org
Tue Apr 21 19:14:57 UTC 2020
The only ip inspect lines that I could find in the current config are:
ip inspect dns-timeout 7200
ip inspect name CCP_HIGH dns
John
> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
> Matthew Richardson
> Sent: Tuesday, April 21, 2020 2:55 PM
> To: bind-users at lists.isc.org
> Subject: Re: NAT and Question Section Mismatch
>
> Out of interest, what "ip inspect" settings exist in the Cisco 2911 config?
>
> Do any of these reference "dns"? If so, this may be your problem...
>
> Best wishes,
> Matthew
>
> ------
> >From: John Wiles <john at iotis.org>
> >To: Tony Finch <dot at dotat.at>
> >Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> >Date: Tue, 21 Apr 2020 14:08:24 -0400
> >Subject: RE: NAT and Question Section Mismatch
>
> >> -----Original Message-----
> >> From: John Wiles
> >> Sent: Sunday, April 19, 2020 11:18 PM
> >> To: 'Tony Finch' <dot at dotat.at>
> >> Cc: bind-users at lists.isc.org
> >> Subject: RE: NAT and Question Section Mismatch
> >>
> >> > >
> >> > > I am running into a problem that I think is caused by either a
> >> > > misconfiguration in Bind9, our Cisco NAT, or perhaps both.
> >> > >
> >> > > When I am on our internal network, I am able to query both
> >> > > servers and get the appropriate external ip address. However,
> >> > > when I try to do the same thing externally I get "Question
> >> > > section mismatch: got 6.1.1.10.in-addr.arpa/PTR/IN."
> >> >
> >> > I bet this is a PIX/ASA fixup fuxup.
> >> >
> >> > Tony.
> >>
> >> Tony thanks for the response.
> >>
> >> I'm assuming that applies to either DNS inspection and/or the fixup
> >> command. I'm asking the person that handles the cisco config to review.
> >>
> >> I also just realized I forgot to mention that it is a 2911 ISR.
> >>
> >> John
> >>
> >
> >After going through the router config my cisco person is pretty sure that
> there is nothing in the configuration that is causing this.
> >
> >But I'm not so certain since it appears to only affect the hosts that are in the
> NAT. For example, my nslookup results from home:
> >
> >> server 72.162.32.4
> >Default server: 72.162.32.4
> >Address: 72.162.32.4#53
> >> 72.162.32.2
> >2.32.162.72.in-addr.arpa name = gw.iotis.org.
> >> 72.162.32.3
> >;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;;
> >;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; ;;
> >Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;;
> >connection timed out; no servers could be reached
> >
> >> 72.162.32.4
> >;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;;
> >;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; ;;
> >Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;;
> >connection timed out; no servers could be reached
> >
> >> 72.162.32.19
> >19.32.162.72.in-addr.arpa name = badmx2.iotis.org.
> >> 72.162.32.18
> >18.32.162.72.in-addr.arpa name = badmx.iotis.org.
> >
> >
> >
> >_______________________________________________
> >Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> >unsubscribe from this list
> >
> >bind-users mailing list
> >bind-users at lists.isc.org
> >https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list