DNS requests error sending response: host unreachable

Romgo romgo at free.fr
Mon Mar 12 20:24:02 UTC 2012 

Here is my Iptables configuration for bind :

# prod.dns.in
$IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
192.168.201.2 -s 0/0
$IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
192.168.201.2 -s 0/0


# OUTPUT
#-------------
# prod.dns.out
$IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s
192.168.201.2 -d 0/0
$IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s
192.168.201.2 -d 0/0

My issue is between two Bind servers. The one having the error messages, is
my Public DNS server, used by the internal server as forwarders.
here is the drop from the firewall.

 [FW-DROP] IN= OUT=eth1 SRC=192.168.200.2 DST=192.168.201.1 LEN=81 TOS=0x00
PREC=0x00 TTL=64 ID=65231 PROTO=UDP SPT=53 DPT=37513 LEN=61 UID=108 GID=111

doesn't seems to be a TCP issue as the packet is UDP.

Any idea ?

Regards,

On 12 March 2012 18:00, Chuck Swiger <cswiger at mac.com> wrote:

> On Mar 12, 2012, at 8:09 AM, Romgo wrote:
> > Dear community,
> >
> > I do have many error in my Bind's log file such as :
> >
> > client 192.168.201.1#29404: error sending response: host unreachable
> >
> > It seems that I have an iptables issue as each time I shut iptables I
> don't have anymore this message showing up.
>
> You're probably exhausting the firewall state table with DNS traffic under
> load, causing the traffic to be blocked with an ICMP "host unreachable"
> response.
>
> > I saw that my firewall is dropping packets from the DNS server itself
> towards the client, as the source port is SPT=53/UDP.
> >
> > I am using bind 9.6, it should use random port >1024 for the source
> port. (I didn't specify query-source parameter).
> >
> > Nevertheless dns resolution seems to be working find.
>
> Adjust your firewall to permit UDP and TCP traffic needed for DNS without
> keeping state, or only keep state on external traffic, but not between your
> nameserver(s) and your local clients...
>
> Regards,
> --
> -Chuck
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120312/cef98edb/attachment.html>

More information about the bind-users mailing list