Still Having Intermittent Issues Resovling External Domains

Joel M Nimety jnimety at cybergnostic.com
Thu Jun 3 18:12:56 UTC 2004



Maarten Van Horenbeeck wrote:
 >>It looks like the ttl is 64.
 >
 >
 > Indeed, that's the default TTL for the platform which you described, so
 > this will not be the issue (short TTL problems usually occur with older
 > AIX platforms; where the TTL is lower for UDP packets than for TCP ones).
 >
 > In a previous posting you mentioned that you were seeing the recursive
 > queries go out, without them being answered.  If the DNS server is
 > succesfully passing out a query on UDP 53, but a tcpdump does not 
reveal a
 > reply coming back, this still looks like a firewall issue to me.

We've verified with the Checkpoint people that the dns packets (replies
from external queries) are leaving the firewall on their way back to the
dns servers.  The problem is that the packets aren't reaching the dns
servers.

Between the firewall and the DNS servers we have

Firewall -> Alteon 180e -> Alteon 708 -> Alteon 180e(as a
vip/loadbalancer)->DNS Server Farm

We also have one server not on the Alteon180e and it fails as often as
the others.

I've just verified with our network guys that there are no ACLs on our
core router.



 > Some time ago, when the first worms started to proliferate using UDP
 > traffic (W32/Slammer), a lot of network engineers actually put in 
rules at
 > the top of their firewall rulebase which denied all UDP traffic towards
 > port 1434.  I have seen a number of people who have actually had problems
 > with this later on.  If your DNS server makes an outbound UDP query; 
which
 > accidentally originates from perfectly valid ephemeral port 1434, the
 > reply will not be allowed back in by most firewalls.  Rules such as these
 > are usually located entirely at the top of the rulebase, and a subsequent
 > rule which allows all DNS traffic will not help to allow it through.  At
 > some locations I have even seen such a rule being added to the perimeter
 > router, which adds to the problem, since no-one actually ever verifies
 > those inbound ACLs.
 >
 > Have you had someone verify the firewall logs yet ?  If it is a firewall
 > which performs application inspection, it may have found something 
unusual
 > in the reply packet, causing it to be dropped completely, even though the
 > rulebase accepts it perfectly fine.  Providing a timestamp and domain to
 > your firewall vendor should be sufficient to have them check this for 
you.
 >
 > I'm still concentrating on the firewall level here, as I have not yet 
seen
 > any hints that the issue is in fact a BIND issue.  Can you confirm my
 > initial statement, that a tcpdump on your most external DNS server shows
 > queries going out but no answers being received?  You may also want to
 > check whether your bogon list is up-to-date, but at first sight it looks
 > pretty much ok.
 >
 > Best regards,
 > Maarten
 >
 > --
 > Maarten Van Horenbeeck, GCIA <maarten at daemon.be>
 > http://www.daemon.be/maarten
 >

-- 
Joel Nimety




More information about the bind-users mailing list