Strange NAT problems with bigger queries

Jim Reid jim at rfc1035.com
Sat Jun 17 13:34:22 UTC 2000 

>>>>> "Christian" == Christian Holz @ ITC <christian.holz at integra-europe.de> writes:

    Christian> At this point, the connection times out. The same query
    Christian> from inside our NATtet environment works perfectly.

    Christian> Next, we tried to move the nameserver exactly as it is
    Christian> outside of the NAT environment and give it a "real"
    Christian> IP-Address. Result: The above query works.

    Christian> Now the question is: Why is a normal query for
    Christian> "www.philosophers.de" working fine, while a question
    Christian> for the MX's for philosophers does not get answered?

It looks like your firewall or NAT box is not allowing some DNS
traffic to pass through. One of the name servers for philosophers.de
is dns1.integra-europe.de (213.61.240.1), which is presumably one of
your name servers. That name server appears to be broken. Queries for
the names and addresses of the root servers or even the SOA record for
philosophers.de time out! Either your server doesn't see those queries
or its replies don't get back to me. [You'd probably need a sniffer on
213.61.240.1's LAN to see whether it's the queries or replies that are
getting dropped.] However 213.61.240.1 does answer if it's asked for
www.philosophers.de.

So I suspect that your firewall/NAT box has been (mis)configured in
such a way that it's dropping DNS queries or answers, depending on
what's being asked. This IMHO is utterly wrong. Or maybe it's doing
something even sillier like tampering with the contents of the DNS
packets. For instance NAT'ing the addresses of A records in the
answer. If that's the case, do the Right Thing and implement split DNS
instead of letting something munge DNS packets on the fly. Even if
mixing NAT with DNS or NAT'ing DNS queries can be made to work, it's
very messy and hard to administer or debug. Keep well away from that
if at all possible.

Queries to 213.68.144.129 - the address you quoted in your posting -
seem to behave identically to those sent to 213.61.240.1. It doesn't
give any answers for the root zone or philosophers.de's MX records
either. And it gives the same bizarre answer as 213.61.240.1 does when
www.philosophers.de is looked up. If these two IP addresses run
different name servers, this would tend to point the finger at some
ugliness in some NAT/firewall box or boxes in front of those servers
rather than the DNS.

Also, the answer that your server gives for www.philosophers.de is
bizarre. The TTLs on all the A records are zero! And the TTLs on the
NS records are different from those provided by the other
authoritative server for philosophers.de, sns.intouch.de. Compare and
contrast the answers below from both servers. Note that both replies
are authoritative, even though the answers are not the same. This is
bad news. So another thing you'll need to fix is the discrepancy
between the two (supposedly definitive!) name servers for the
philosophers.de zone.

First of all, here's the correct answer:

	% dig @195.190.74.18 www.philosophers.de
	 
	; <<>> DiG 8.2 <<>> @195.190.74.18 www.philosophers.de
	; (1 server found)
	;; res options: init recurs defnam dnsrch
	;; got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
	;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
	;; QUERY SECTION:
	;;      www.philosophers.de, type = A, class = IN
	 
	;; ANSWER SECTION:
	www.philosophers.de.    2D IN A         195.190.75.123
	 
	;; AUTHORITY SECTION:
	philosophers.de.        2D IN NS        sns.intouch.de.
	philosophers.de.        2D IN NS        dns1.integra-europe.de.
	 
	;; ADDITIONAL SECTION:
	sns.intouch.de.         2D IN A         195.190.74.18
	dns1.integra-europe.de.  2D IN A  213.61.240.1
	 
	;; Total query time: 107 msec
	;; FROM: gromit.rfc1035.com to SERVER: 195.190.74.18
	;; WHEN: Sat Jun 17 14:04:26 2000
	;; MSG SIZE  sent: 37  rcvd: 160 

Now for the broken one:

	% dig @213.61.240.1 www.philosophers.de
	 
	; <<>> DiG 8.2 <<>> @213.61.240.1 www.philosophers.de
	; (1 server found)
	;; res options: init recurs defnam dnsrch
	;; got answer:
	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
	;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
	;; QUERY SECTION:
	;;      www.philosophers.de, type = A, class = IN
	 
	;; ANSWER SECTION:
	www.philosophers.de.    0S IN A         195.190.75.123
	 
	;; AUTHORITY SECTION:
	philosophers.de.        1D IN NS        dns1.integra-europe.de.
	philosophers.de.        1D IN NS        sns.intouch.de.
	 
	;; ADDITIONAL SECTION:
	dns1.integra-europe.de.  0S IN A  213.61.240.1
	sns.intouch.de.         0S IN A         195.190.74.18
	 
	;; Total query time: 85 msec
	;; FROM: gromit.rfc1035.com to SERVER: 213.61.240.1
	;; WHEN: Sat Jun 17 14:04:41 2000
	;; MSG SIZE  sent: 37  rcvd: 160

BTW, the MX records for philosophers.de are curious. There are two
targets (sns.intouch.de and pns.intouch.de) with different preference
values. However both target hostnames have the same IP address. This
means the higher-preference MX record is pointless. In fact it might
cause a mail loop because the target of the higher preference MX
record (sns.intouch.de) appears to be the actual hostname of the mail
server. So mail for philosophers.de gets delivered to 195.190.75.18.
If it then looks up the MX records for philosophers.de, it'll see that
pns.intouch.de has a lower preference value and try to deliver the
mail to that host. Since pns.intouch.de has the same IP address as
sns.intouch.de, the server would open an SMTP connection to itself.

    Christian> XX+/208.178.101.2/philosophers.de/MX/IN
    Christian> XX+/208.178.101.2/philosophers.de/MX/IN

    Christian> I don't know what the "+" means after the "XX"... Other
    Christian> queries in the Logfile do not have this "+".

The + means that the query set the recursion desired bit. This
generally means that the query came from a resolver and not another
name server.

    Christian> Any help would be _very_ appreciated since we're trying
    Christian> to go live with this system and I am afraid that our
    Christian> registered domains cannot be queried by the registries
    Christian> right now with this problem...

Well the other name server for philosophers.de seems to be OK, so if
you get rid of the NS record pointing at your broken name server,
everything would be fine.

More information about the bind-users mailing list