NAT and Question Section Mismatch

John Wiles john at iotis.org
Tue Apr 21 18:08:24 UTC 2020 

> -----Original Message-----
> From: John Wiles
> Sent: Sunday, April 19, 2020 11:18 PM
> To: 'Tony Finch' <dot at dotat.at>
> Cc: bind-users at lists.isc.org
> Subject: RE: NAT and Question Section Mismatch
> 
> > >
> > > I am running into a problem that I think is caused by either a
> > > misconfiguration in Bind9, our Cisco NAT, or perhaps both.
> > >
> > > When I am on our internal network, I am able to query both servers
> > > and get the appropriate external ip address. However, when I try to
> > > do the same thing externally I get "Question section mismatch: got
> > > 6.1.1.10.in-addr.arpa/PTR/IN."
> >
> > I bet this is a PIX/ASA fixup fuxup.
> >
> > Tony.
> 
> Tony thanks for the response.
> 
> I'm assuming that applies to either DNS inspection and/or the fixup
> command. I'm asking the person that handles the cisco config to review.
> 
> I also just realized I forgot to mention that it is a 2911 ISR.
> 
> John
> 

After going through the router config my cisco person is pretty sure that there is nothing in the configuration that is causing this. 

But I'm not so certain since it appears to only affect the hosts that are in the NAT. For example, my nslookup results from home: 

> server 72.162.32.4
Default server: 72.162.32.4
Address: 72.162.32.4#53
> 72.162.32.2
2.32.162.72.in-addr.arpa        name = gw.iotis.org.
> 72.162.32.3
;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
;; connection timed out; no servers could be reached

> 72.162.32.4
;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN
;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN
;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN
;; connection timed out; no servers could be reached

> 72.162.32.19
19.32.162.72.in-addr.arpa       name = badmx2.iotis.org.
> 72.162.32.18
18.32.162.72.in-addr.arpa       name = badmx.iotis.org.

More information about the bind-users mailing list