Strange domain issues - waterco.com.my

Mark Andrews Mark_Andrews at isc.org
Mon Jun 4 07:51:50 UTC 2007 

> I get this:
> 
> $ dig @ns1.waterco.com.my waterco.com.my mx
> ;; reply from unexpected source: 60.51.231.186#1077, expected 
> 60.51.231.186#53
> ;; reply from unexpected source: 60.51.231.186#1077, expected 
> 60.51.231.186#53
> ;; reply from unexpected source: 60.51.231.186#1077, expected 
> 60.51.231.186#53
> 
> ; <<>> DiG 9.3.4 <<>> @ns1.waterco.com.my waterco.com.my mx
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> 
> It seems to me the problem is the query goes to ns1.waterco.com.my 
> [60.51.231.186] port 53, BUT comes back from the same host on port 1077.
> 
> The moral: Bind doesn't like port to/from mismatches. This is probably a 
> host behind a router/firewall.
> 
> Adding this to the options { } block should fix it, if the NAT is 
> configured to preserve the original source port of an outgoing packet:
> 
> options {
>    query-source: address * port 53;
> };

	This won't help with nameservers that send replies from a
	different address and/or port.  Named still expects replies
	to come from the address and port they were sent to.

	All this is designed to do is to send the queries out through
	a firewall with a known port so that the replies can get
	back through.  53 is choose on the premise that the server
	is authoritative for a zone which needs to be reached from
	the outside.  That way you can use the same hole in the firewall
	for both incoming and outgoing queries.  If that premise is
	not met one should really choose a different port.

> The address can be an ip of a specific interface too.
> 
> 
> Dawn Connelly wrote:
> > Try digging at the IP address of their DNS server rather than at it's
> > name. That appears to be working. I was noticing a lot of
> > latency...at least from where I was querying. It might be that when
> > you query against the name rather than the IP it's taking too long to
> > resolve that and to resolve the query you are making so it's timing
> > out.
> > What exactly does the bounce back say? It might be that it's
> > rejecting the inbound email because you don't have a PTR record or
> > something like that. There are lots of things that email could be
> > looking at when it comes to DNS.
> >
> > On 5/24/07, Elias <elias at streamyx.com> wrote:
> >>
> >> Hi guys,
> >> We've been unable to send mails to waterco.com.my and mails always
> >> bounce back saying that its a DNS issue. Digging further, we can get
> >> a response via 'dig waterco.com.my' but no responses via 'dig
> >> @ns1.waterco.com.my waterco.com.my mx' or 'dig @ns2.waterco.com.my
> >> waterco.com.my mx'. Is
> >> there any logic to this? We seem to think that its probably some
> >> weird firewall issue but have no experience troubleshooting these
> >> cases.
> >>
> >> # dig waterco.com.my mx
> >>
> >> ; <<>> DiG 9.4.0 <<>> waterco.com.my mx
> >> ;; global options:  printcmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1197
> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> >>
> >> ;; QUESTION SECTION:
> >> ;waterco.com.my.                        IN      MX
> >>
> >> ;; ANSWER SECTION:
> >> waterco.com.my.         3600    IN      MX      10 mx.waterco.com.my.
> >>
> >> ;; AUTHORITY SECTION:
> >> waterco.com.my.         3597    IN      NS      ns2.waterco.com.my.
> >> waterco.com.my.         3597    IN      NS      ns1.waterco.com.my.
> >>
> >> ;; ADDITIONAL SECTION:
> >> mx.waterco.com.my.      3600    IN      A       60.51.231.187
> >>
> >> ;; Query time: 14 msec
> >> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >> ;; WHEN: Thu May 24 20:16:10 2007
> >> ;; MSG SIZE  rcvd: 103
> >>
> >>
> >> # dig @ns1.waterco.com.my waterco.com.my mx
> >>
> >> ; <<>> DiG 9.4.0 <<>> @ns1.waterco.com.my waterco.com.my mx
> >> ; (1 server found)
> >> ;; global options:  printcmd
> >> ;; connection timed out; no servers could be reached
> >>
> >>
> >> I've contacted the domain owner but they seem to say that
> >> everything's alright at their end. Can anybody help verify if you
> >> guys are also seing the same thing? Any assistance rendered is
> >> greatly appreciated. Thanks!
> 
> 
> 
> -- 
> . Alfred Z. Newmane . 
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list