Odd config problem
Mark Andrews
Mark_Andrews at isc.org
Tue May 19 08:07:35 UTC 2009
In message <1875F6BE-6EFD-4CFF-B724-E616C172F3C0 at vallden.com>, Hans Vallden wri
tes:
>
> On 18.5.2009, at 17:17, Mark Andrews wrote:
>
> >> I use the secure BIND template by Rob Thomas (http://www.cymru.com/Documen
> ts/
> >> secure-bind-template.html
> >> ). I have had a peculiar problem with this template conf, which I
> >> have
> >> not been able to resolve. My problem is that some slave zones return
> >> REFUSED when queried from the external view for ANY records while
> >> others return the expected values. For example:
> >>
> >> dig @194.86.83.21 ruoka.fi ANY
> >>
> >> returns nothing, but when queried from master zone:
> >>
> >> dig @194.86.83.27 ruoka.fi ANY
> >>
> >> returns expected values. Furthermore, a seemingly identical zone
> >> (see
> >> complete zone configs below) for another domain returns expected
> >> values from both servers:
> >
> > What do you have infront of the nameserver? Firewall? NAT?
> > Note the reply is to the wrong port.
> >
> > 00:15:38.593884 211.30.172.21.57914 > 194.86.83.21.53: 60775 ANY?
> > ruoka.fi. (26)
> > 00:15:38.935222 194.86.83.21.53 > 211.30.172.21.48599: 60775*-
> > 5/0/0 SOA, NS ns2.kirnauskis.com., NS ns.kirnauskis.com., MX
> > smtp.kirnauskis.com. 0, TXT v=spf1 ~all (167)
>
> There's a firewall infront of both nameservers. I don't think the
> reply port should be the issue, because all traffic is allowed from
> the server to WAN.
Look at the answer packet. It is *not* being sent back to the
querier.
> Furthermore, if it were a firewall issue, why would
> it work for one domain and not the other? And why would changing the
> 'additional-from-auth' and 'additional-from-cache' settings make a
> difference?
If you look at packet dumps of the reply traffic you see
all sorts of garbage to the any queries but if you add
+dnssec all the responses are sane.
In the example below the question in the response does not
match the question in the query so dig will reject it.
18:03:34.157694 211.30.172.21.59804 > 194.86.83.21.53: 33053+ ANY? ruoka.fi. (26)
0x0000 4500 0036 d5e5 0000 3f11 1132 d31e ac15 E..6....?..2....
0x0010 c256 5315 e99c 0035 0022 ac70 811d 0100 .VS....5.".p....
0x0020 0001 0000 0000 0000 0572 756f 6b61 0266 .........ruoka.f
0x0030 6900 00ff 0001 i.....
18:03:34.528828 194.86.83.21.53 > 211.30.172.21.59804: 33053*- 5/0/0 SOA, NS ns.kirnauskis.com., NS ns2.kirnauskis.com., MX smtp.kirnauskis.com. 0, TXT v=spf1 ~all (167)
0x0000 4500 00c3 9c51 0000 3411 5539 c256 5315 E....Q..4.U9.VS.
0x0010 d31e ac15 0035 e99c 00af 9560 811d 8500 .....5.....`....
0x0020 0001 0005 0000 0000 0572 26fa 6b61 0266 .........r&.ka.f
0x0030 6900 00ff 0001 c00c 0006 0001 0000 9600 i...............
0x0040 0034 026e 730a 6b69 726e 6175 736b 6973 .4.ns.kirnauskis
0x0050 0363 6f6d 000a 686f 7374 6d61 7374 6572 .com..hostmaster
0x0060 c029 7773 fef0 0000 2a30 0000 0e10 0006 .)ws....*0......
0x0070 9780 0000 9600 c00c 0002 0001 0000 9600 ................
0x0080 0002 c026 c00c 0002 0001 0000 9600 0006 ...&............
0x0090 036e 7332 c029 c00c 000f 0001 0000 9600 .ns2.)..........
0x00a0 0009 0000 0473 6d74 70c0 29c0 0c00 1000 .....smtp.).....
0x00b0 0100 0096 0000 0c0b 763d 7370 6631 207e ........v=spf1.~
0x00c0 616c 6c all
I would look at packet traces on the box then at places
futher out.
Mark
> I did try allowing all traffic in and out from the server just in
> case, and it didn't help.
>
>
>
> --
> Hans Vallden
> hans at vallden.com
> skype: hans.vallden
>
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list