Strange domain issues - waterco.com.my
Mark Andrews
Mark_Andrews at isc.org
Thu May 24 23:30:46 UTC 2007
> Hi guys,
> We've been unable to send mails to waterco.com.my and mails always bounce bac
> k saying that its a DNS issue. Digging further, we can get a response via 'di
> g waterco.com.my' but no responses via 'dig @ns1.waterco.com.my waterco.com.m
> y mx' or 'dig @ns2.waterco.com.my waterco.com.my mx'. Is there any logic to t
> his? We seem to think that its probably some weird firewall issue but have no
> experience troubleshooting these cases.
They have broken firewall rules. port 23002 gets a response
port 62437 doesn't. Fiddle with "dig -4 -b 0.0.0.0#<port>".
They should be allowing queries from any port to the dns server
and they should be allowing the replies back out..
e.g.
allow udp from any to 60.51.231.186/31 port 53 in
allow udp from 60.51.231.186/31 port 53 to any out
allow tcp from any to 60.51.231.186/31 port 53 in
allow tcp from 60.51.231.186/31 port 53 to any out
This should be before any other blocking rules. If you are
offering a service you shouldn't care about the source port.
If you allow a packet in you should allow the reply out.
Rules which block packets out to particular ports are
generally wrong. They usually have unexpected consequences.
Eventually there will be no ports unblocked.
Mark
09:10:20.229860 220.239.253.18.23002 > 60.51.231.187.53: 14534 [1au] MX? waterco.com.my. (43)
09:10:25.230692 220.239.253.18.23002 > 60.51.231.187.53: 14534 [1au] MX? waterco.com.my. (43)
09:10:30.231576 220.239.253.18.23002 > 60.51.231.187.53: 14534 [1au] MX? waterco.com.my. (43)
09:10:39.112427 220.239.253.18.23002 > 60.51.231.186.53: 44034 [1au] MX? waterco.com.my. (43)
09:10:39.490883 60.51.231.186.53 > 220.239.253.18.23002: 44034* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:42.525320 220.239.253.18.23002 > 60.51.231.186.53: 40971 [1au] MX? waterco.com.my. (43)
09:10:42.920080 60.51.231.186.53 > 220.239.253.18.23002: 40971* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:44.172599 220.239.253.18.23002 > 60.51.231.186.53: 34705 [1au] MX? waterco.com.my. (43)
09:10:44.550605 60.51.231.186.53 > 220.239.253.18.23002: 34705* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:45.966842 220.239.253.18.23002 > 60.51.231.186.53: 59444 [1au] MX? waterco.com.my. (43)
09:10:46.344740 60.51.231.186.53 > 220.239.253.18.23002: 59444* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:49.627374 220.239.253.18.23002 > 60.51.231.187.53: 54943 [1au] MX? waterco.com.my. (43)
09:10:54.628345 220.239.253.18.23002 > 60.51.231.187.53: 54943 [1au] MX? waterco.com.my. (43)
09:11:05.361121 220.239.253.18.23002 > 60.51.231.186.53: 44307 [1au] MX? waterco.com.my. (43)
09:11:05.738719 60.51.231.186.53 > 220.239.253.18.23002: 44307* 1/2/4 MX mx.waterco.com.my. 10 (146)
dig +norec mx waterco.com.my +dnssec @60.51.231.186
09:11:14.198020 220.239.253.18.62437 > 60.51.231.186.53: 48867 [1au] MX? waterco.com.my. (43)
09:11:19.198128 220.239.253.18.62437 > 60.51.231.186.53: 48867 [1au] MX? waterco.com.my. (43)
dig -b0.0.0.0#23002 +norec mx waterco.com.my +dnssec @60.51.231.186
09:11:23.178069 220.239.253.18.23002 > 60.51.231.186.53: 29989 [1au] MX? waterco.com.my. (43)
09:11:23.557357 60.51.231.186.53 > 220.239.253.18.23002: 29989* 1/2/4 MX mx.waterco.com.my. 10 (146)
dig -b0.0.0.0#23002 +norec mx waterco.com.my +dnssec @60.51.231.186
09:12:01.789360 220.239.253.18.23002 > 60.51.231.186.53: 14578 [1au] MX? waterco.com.my. (43)
09:12:02.166798 60.51.231.186.53 > 220.239.253.18.23002: 14578* 1/2/4 MX mx.waterco.com.my. 10 (146)
> # dig waterco.com.my mx
>
> ; <<>> DiG 9.4.0 <<>> waterco.com.my mx
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1197
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;waterco.com.my. IN MX
>
> ;; ANSWER SECTION:
> waterco.com.my. 3600 IN MX 10 mx.waterco.com.my.
>
> ;; AUTHORITY SECTION:
> waterco.com.my. 3597 IN NS ns2.waterco.com.my.
> waterco.com.my. 3597 IN NS ns1.waterco.com.my.
>
> ;; ADDITIONAL SECTION:
> mx.waterco.com.my. 3600 IN A 60.51.231.187
>
> ;; Query time: 14 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu May 24 20:16:10 2007
> ;; MSG SIZE rcvd: 103
>
>
> # dig @ns1.waterco.com.my waterco.com.my mx
>
> ; <<>> DiG 9.4.0 <<>> @ns1.waterco.com.my waterco.com.my mx
> ; (1 server found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
>
> I've contacted the domain owner but they seem to say that everything's alrigh
> t at their end. Can anybody help verify if you guys are also seing the same t
> hing? Any assistance rendered is greatly appreciated. Thanks!
>
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list