Problem resolving one particular domain

Mark Andrews marka at isc.org
Wed Jul 27 12:43:42 UTC 2011 

In message <4E2FEA67.7080900 at agenda.si>, Danilo Godec writes:
> On 07/27/2011 10:31 AM, Stephane Bortzmeyer wrote:
> > On Wed, Jul 27, 2011 at 09:59:32AM +0200,
> >   Danilo Godec<danilo.godec at agenda.si>  wrote
> >   a message of 247 lines which said:
> >
> >> Weirdness number 2 - using dig directly with their servers works:
> > Nothing weird here: dig does not behave like the BIND resolver. It
> > does not use EDNS at all by default, it does not use the same source
> > port, etc.
> 
> Yes, I was expecting that - I just used it as a way of checking whether 
> it's a network/firewall problem (being blocked or something).

Well it is a firewall problem.  Yet another administator that thinks
queries only come from ports above 1023 despite DNS queries being
sourced from port 53 for decades.

You can test by binding the source port.

	dig ns.rabobank.nl @145.72.79.222 -b 0.0.0.0#1023
	dig ns.rabobank.nl @145.72.79.222 -b 0.0.0.0#1024

If your are writing firewall rules you need to realise that source
ports mean absolutely nothing.  The only invalid source port is
zero.

> >>> 09:53:23.643138 178.79.70.66.53>  145.72.79.222.53: [udp sum ok]
> >>> 7984 [1au] A? ns.rabobank.nl. ar: . OPT UDPsize=512 (43) (ttl 63,
> >>> id 5640, len 71)
> > There is one weird thing here: your resolver uses always the same
> > source port, 53:
> >
> > 1) It means you are vulnerable to Kaminsky-style cache poisoning. In
> > 2011, 'query-source port 53;' should have disappeared a long time
> > ago. Source ports must be random.
> >
> > 2) It may create problems with some firewalls (this would not explain
> > why rabobank.nl, on the same servers, work).
> 
> Thank you, that's what it was. Removed the 'query-source port 53' and 
> resolving started working.
> 
> It is still very weird why it worked with 'rabobank.nl'...
> 
> > A second weird thing is the use of EDNS with a buffer size of
> > 512. This is completely useless, since default size is already 512
> > (but it is probably not the cause of the problem since all answers
> > from Rabobank are short).
> 
> In the process of trying to figure out the problemI was fiddling with 
> the 'edns-udp-size' option setting it to 512.
> 
> I guess I still had that in when I was doing the copy&paste - have since 
> removed it and the packets sent out now have 'OPT UDPsize=4096'.
> 
> 
> Thanks again, Danilo
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list