NAT and Question Section Mismatch

Matthew Richardson matthew-l at itconsult.co.uk
Tue Apr 21 18:55:10 UTC 2020 

Out of interest, what "ip inspect" settings exist in the Cisco 2911 config?

Do any of these reference "dns"?  If so, this may be your problem...

Best wishes,
Matthew

 ------
>From: John Wiles <john at iotis.org>
>To: Tony Finch <dot at dotat.at>
>Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>Date: Tue, 21 Apr 2020 14:08:24 -0400
>Subject: RE: NAT and Question Section Mismatch

>> -----Original Message-----
>> From: John Wiles
>> Sent: Sunday, April 19, 2020 11:18 PM
>> To: 'Tony Finch' <dot at dotat.at>
>> Cc: bind-users at lists.isc.org
>> Subject: RE: NAT and Question Section Mismatch
>> 
>> > >
>> > > I am running into a problem that I think is caused by either a
>> > > misconfiguration in Bind9, our Cisco NAT, or perhaps both.
>> > >
>> > > When I am on our internal network, I am able to query both servers
>> > > and get the appropriate external ip address. However, when I try to
>> > > do the same thing externally I get "Question section mismatch: got
>> > > 6.1.1.10.in-addr.arpa/PTR/IN."
>> >
>> > I bet this is a PIX/ASA fixup fuxup.
>> >
>> > Tony.
>> 
>> Tony thanks for the response.
>> 
>> I'm assuming that applies to either DNS inspection and/or the fixup
>> command. I'm asking the person that handles the cisco config to review.
>> 
>> I also just realized I forgot to mention that it is a 2911 ISR.
>> 
>> John
>> 
>
>After going through the router config my cisco person is pretty sure that there is nothing in the configuration that is causing this. 
>
>But I'm not so certain since it appears to only affect the hosts that are in the NAT. For example, my nslookup results from home: 
>
>> server 72.162.32.4
>Default server: 72.162.32.4
>Address: 72.162.32.4#53
>> 72.162.32.2
>2.32.162.72.in-addr.arpa        name = gw.iotis.org.
>> 72.162.32.3
>;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
>;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
>;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN
>;; connection timed out; no servers could be reached
>
>> 72.162.32.4
>;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN
>;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN
>;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN
>;; connection timed out; no servers could be reached
>
>> 72.162.32.19
>19.32.162.72.in-addr.arpa       name = badmx2.iotis.org.
>> 72.162.32.18
>18.32.162.72.in-addr.arpa       name = badmx.iotis.org.
>
>
>
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list