NAT and Question Section Mismatch
John Wiles
john at iotis.org
Wed Apr 22 11:27:50 UTC 2020
Carl,
The output from the tcpdumps on both machines.
From my local:
226 13.386290 172.16.1.103 72.162.32.4 DNS 107 Standard query 0x8148 PTR 3.32.162.72.in-addr.arpa OPT
227 13.405397 72.162.32.4 172.16.1.103 DNS 93 Standard query response 0x8148 Refused PTR 17.1.1.10.in-addr.arpa OPT
307 18.385705 172.16.1.103 72.162.32.4 DNS 107 Standard query 0x8148 PTR 3.32.162.72.in-addr.arpa OPT
308 18.402629 72.162.32.4 172.16.1.103 DNS 93 Standard query response 0x8148 Refused PTR 17.1.1.10.in-addr.arpa OPT
357 23.386698 172.16.1.103 72.162.32.4 DNS 107 Standard query 0x8148 PTR 3.32.162.72.in-addr.arpa OPT
358 23.404178 72.162.32.4 172.16.1.103 DNS 93 Standard query response 0x8148 Refused PTR 17.1.1.10.in-addr.arpa OPT
492 35.373711 172.16.1.103 72.162.32.4 DNS 107 Standard query 0xa388 PTR 5.32.162.72.in-addr.arpa OPT
493 35.391667 72.162.32.4 172.16.1.103 DNS 149 Standard query response 0xa388 No such name PTR 5.32.162.72.in-addr.arpa SOA ns.iotis.org OPT
541 44.408527 172.16.1.103 72.162.32.4 DNS 107 Standard query 0x2e67 PTR 6.32.162.72.in-addr.arpa OPT
542 44.426670 72.162.32.4 172.16.1.103 DNS 92 Standard query response 0x2e67 Refused PTR 6.1.1.10.in-addr.arpa OPT
634 49.408293 172.16.1.103 72.162.32.4 DNS 107 Standard query 0x2e67 PTR 6.32.162.72.in-addr.arpa OPT
635 49.427719 72.162.32.4 172.16.1.103 DNS 92 Standard query response 0x2e67 Refused PTR 6.1.1.10.in-addr.arpa OPT
689 54.408297 172.16.1.103 72.162.32.4 DNS 107 Standard query 0x2e67 PTR 6.32.162.72.in-addr.arpa OPT
690 54.425286 72.162.32.4 172.16.1.103 DNS 92 Standard query response 0x2e67 Refused PTR 6.1.1.10.in-addr.arpa OPT
755 62.891404 172.16.1.103 72.162.32.4 DNS 108 Standard query 0xd77a PTR 18.32.162.72.in-addr.arpa OPT
756 62.908737 72.162.32.4 172.16.1.103 DNS 192 Standard query response 0xd77a PTR 18.32.162.72.in-addr.arpa PTR badmx.iotis.org NS ns2.iotis.org NS ns.iotis.org A 72.162.32.3 A 72.162.32.4 OPT
From the dns server:
07:15:07.565369 IP 24.181.4.204.22196 > 10.1.1.25.53: 33096 [1au] PTR? 17.1.1.10.in-addr.arpa. (63)
07:15:07.565984 IP 10.1.1.25.53 > 24.181.4.204.22196: 33096 Refused- 0/0/1 (51)
07:15:12.562543 IP 24.181.4.204.22196 > 10.1.1.25.53: 33096 [1au] PTR? 17.1.1.10.in-addr.arpa. (63)
07:15:12.563134 IP 10.1.1.25.53 > 24.181.4.204.22196: 33096 Refused- 0/0/1 (51)
07:15:17.563820 IP 24.181.4.204.22196 > 10.1.1.25.53: 33096 [1au] PTR? 17.1.1.10.in-addr.arpa. (63)
07:15:17.564464 IP 10.1.1.25.53 > 24.181.4.204.22196: 33096 Refused- 0/0/1 (51)
07:15:29.551545 IP 24.181.4.204.10307 > 10.1.1.25.53: 41864 [1au] PTR? 5.32.162.72.in-addr.arpa. (65)
07:15:29.552158 IP 10.1.1.25.53 > 24.181.4.204.10307: 41864 NXDomain*- 0/1/1 (107)
07:15:38.586430 IP 24.181.4.204.44420 > 10.1.1.25.53: 11879 [1au] PTR? 6.1.1.10.in-addr.arpa. (62)
07:15:38.586935 IP 10.1.1.25.53 > 24.181.4.204.44420: 11879 Refused- 0/0/1 (50)
07:15:43.587602 IP 24.181.4.204.44420 > 10.1.1.25.53: 11879 [1au] PTR? 6.1.1.10.in-addr.arpa. (62)
07:15:43.588026 IP 10.1.1.25.53 > 24.181.4.204.44420: 11879 Refused- 0/0/1 (50)
07:15:48.584994 IP 24.181.4.204.44420 > 10.1.1.25.53: 11879 [1au] PTR? 6.1.1.10.in-addr.arpa. (62)
07:15:48.585537 IP 10.1.1.25.53 > 24.181.4.204.44420: 11879 Refused- 0/0/1 (50)
07:15:57.068551 IP 24.181.4.204.44089 > 10.1.1.25.53: 55162 [1au] PTR? 18.32.162.72.in-addr.arpa. (66)
07:15:57.069188 IP 10.1.1.25.53 > 24.181.4.204.44089: 55162*- 1/2/3 PTR badmx.iotis.org. (150)
I'm sending the above to our cisco guy, I had already assumed it is the nat as I had noticed yesterday that it was only affecting actual nated hosts.
John
> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Carl
> Byington via bind-users
> Sent: Tuesday, April 21, 2020 6:17 PM
> To: bind-users at lists.isc.org
> Subject: RE: NAT and Question Section Mismatch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Tue, 2020-04-21 at 14:08 -0400, John Wiles wrote:
> ;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
>
> tcpdump is your friend.
>
> Dump the outgoing packets from your home connection to see exactly what
> you are sending for:
>
> dig 3.32.162.72.in-addr.arpa ptr @72.162.32.4 +nodnssec +norecur
>
> Dump the incoming packets at your dns server to see what it is receiving for
> that command. Any differences are probably generated by the cisco.
> Dump the outgoing packets from your dns server, and the incoming packets
> at your home connection also.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAl6fcKwACgkQL6j7milTFsHWLACffvw6WJlQecTYmUWQ0al6szX
> u
> GncAn05uTakguddRQfrb3QlhMdhVl2gB
> =hUGI
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list