NAT and Question Section Mismatch

Ondřej Surý ondrej at isc.org
Tue Apr 21 19:30:29 UTC 2020 

There was a setting in Cisco which would handle the host behind
the NAT differently when the DNS traffic passed the matching NAT.

I found a bug in the Cisco devices more than 10+ years ago when
it would mangle the TTL to `0`.  I don’t really remember the details
though, but it’s not only the `ip inspect` that might be at fault.

Ondrej
--
Ondřej Surý
ondrej at isc.org

> On 21 Apr 2020, at 21:14, John Wiles <john at iotis.org> wrote:
> 
> The only ip inspect lines that I could find in the current config are:
> 
> ip inspect dns-timeout 7200
> ip inspect name CCP_HIGH dns
> 
> John
> 
>> -----Original Message-----
>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
>> Matthew Richardson
>> Sent: Tuesday, April 21, 2020 2:55 PM
>> To: bind-users at lists.isc.org
>> Subject: Re: NAT and Question Section Mismatch
>> 
>> Out of interest, what "ip inspect" settings exist in the Cisco 2911 config?
>> 
>> Do any of these reference "dns"?  If so, this may be your problem...
>> 
>> Best wishes,
>> Matthew
>> 
>> ------
>>> From: John Wiles <john at iotis.org>
>>> To: Tony Finch <dot at dotat.at>
>>> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>>> Date: Tue, 21 Apr 2020 14:08:24 -0400
>>> Subject: RE: NAT and Question Section Mismatch
>> 
>>>> -----Original Message-----
>>>> From: John Wiles
>>>> Sent: Sunday, April 19, 2020 11:18 PM
>>>> To: 'Tony Finch' <dot at dotat.at>
>>>> Cc: bind-users at lists.isc.org
>>>> Subject: RE: NAT and Question Section Mismatch
>>>> 
>>>>>> 
>>>>>> I am running into a problem that I think is caused by either a
>>>>>> misconfiguration in Bind9, our Cisco NAT, or perhaps both.
>>>>>> 
>>>>>> When I am on our internal network, I am able to query both
>>>>>> servers and get the appropriate external ip address. However,
>>>>>> when I try to do the same thing externally I get "Question
>>>>>> section mismatch: got 6.1.1.10.in-addr.arpa/PTR/IN."
>>>>> 
>>>>> I bet this is a PIX/ASA fixup fuxup.
>>>>> 
>>>>> Tony.
>>>> 
>>>> Tony thanks for the response.
>>>> 
>>>> I'm assuming that applies to either DNS inspection and/or the fixup
>>>> command. I'm asking the person that handles the cisco config to review.
>>>> 
>>>> I also just realized I forgot to mention that it is a 2911 ISR.
>>>> 
>>>> John
>>>> 
>>> 
>>> After going through the router config my cisco person is pretty sure that
>> there is nothing in the configuration that is causing this.
>>> 
>>> But I'm not so certain since it appears to only affect the hosts that are in the
>> NAT. For example, my nslookup results from home:
>>> 
>>>> server 72.162.32.4
>>> Default server: 72.162.32.4
>>> Address: 72.162.32.4#53
>>>> 72.162.32.2
>>> 2.32.162.72.in-addr.arpa        name = gw.iotis.org.
>>>> 72.162.32.3
>>> ;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;;
>>> ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; ;;
>>> Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;;
>>> connection timed out; no servers could be reached
>>> 
>>>> 72.162.32.4
>>> ;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;;
>>> ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; ;;
>>> Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;;
>>> connection timed out; no servers could be reached
>>> 
>>>> 72.162.32.19
>>> 19.32.162.72.in-addr.arpa       name = badmx2.iotis.org.
>>>> 72.162.32.18
>>> 18.32.162.72.in-addr.arpa       name = badmx.iotis.org.
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200421/029ace48/attachment.bin>

More information about the bind-users mailing list