Strange domain issues - waterco.com.my

Mark Andrews Mark_Andrews at isc.org
Thu May 24 23:30:46 UTC 2007 

> Hi guys,
> We've been unable to send mails to waterco.com.my and mails always bounce bac
> k saying that its a DNS issue. Digging further, we can get a response via 'di
> g waterco.com.my' but no responses via 'dig @ns1.waterco.com.my waterco.com.m
> y mx' or 'dig @ns2.waterco.com.my waterco.com.my mx'. Is there any logic to t
> his? We seem to think that its probably some weird firewall issue but have no
>  experience troubleshooting these cases.

	They have broken firewall rules.  port 23002 gets a response
	port 62437 doesn't.  Fiddle with "dig -4 -b 0.0.0.0#<port>".

	They should be allowing queries from any port to the dns server
	and they should be allowing the replies back out..

	e.g.
		allow udp from any to 60.51.231.186/31 port 53 in
		allow udp from 60.51.231.186/31 port 53 to any out
		allow tcp from any to 60.51.231.186/31 port 53 in
		allow tcp from 60.51.231.186/31 port 53 to any out

	This should be before any other blocking rules.  If you are
	offering a service you shouldn't care about the source port.
	If you allow a packet in you should allow the reply out.

	Rules which block packets out to particular ports are
	generally wrong.  They usually have unexpected consequences.
	Eventually there will be no ports unblocked.

	Mark

09:10:20.229860 220.239.253.18.23002 > 60.51.231.187.53:  14534 [1au] MX? waterco.com.my. (43)
09:10:25.230692 220.239.253.18.23002 > 60.51.231.187.53:  14534 [1au] MX? waterco.com.my. (43)
09:10:30.231576 220.239.253.18.23002 > 60.51.231.187.53:  14534 [1au] MX? waterco.com.my. (43)
09:10:39.112427 220.239.253.18.23002 > 60.51.231.186.53:  44034 [1au] MX? waterco.com.my. (43)
09:10:39.490883 60.51.231.186.53 > 220.239.253.18.23002:  44034* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:42.525320 220.239.253.18.23002 > 60.51.231.186.53:  40971 [1au] MX? waterco.com.my. (43)
09:10:42.920080 60.51.231.186.53 > 220.239.253.18.23002:  40971* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:44.172599 220.239.253.18.23002 > 60.51.231.186.53:  34705 [1au] MX? waterco.com.my. (43)
09:10:44.550605 60.51.231.186.53 > 220.239.253.18.23002:  34705* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:45.966842 220.239.253.18.23002 > 60.51.231.186.53:  59444 [1au] MX? waterco.com.my. (43)
09:10:46.344740 60.51.231.186.53 > 220.239.253.18.23002:  59444* 1/2/4 MX mx.waterco.com.my. 10 (146)
09:10:49.627374 220.239.253.18.23002 > 60.51.231.187.53:  54943 [1au] MX? waterco.com.my. (43)
09:10:54.628345 220.239.253.18.23002 > 60.51.231.187.53:  54943 [1au] MX? waterco.com.my. (43)
09:11:05.361121 220.239.253.18.23002 > 60.51.231.186.53:  44307 [1au] MX? waterco.com.my. (43)
09:11:05.738719 60.51.231.186.53 > 220.239.253.18.23002:  44307* 1/2/4 MX mx.waterco.com.my. 10 (146)

	dig +norec mx waterco.com.my +dnssec @60.51.231.186

09:11:14.198020 220.239.253.18.62437 > 60.51.231.186.53:  48867 [1au] MX? waterco.com.my. (43)
09:11:19.198128 220.239.253.18.62437 > 60.51.231.186.53:  48867 [1au] MX? waterco.com.my. (43)

	dig -b0.0.0.0#23002 +norec mx waterco.com.my +dnssec @60.51.231.186

09:11:23.178069 220.239.253.18.23002 > 60.51.231.186.53:  29989 [1au] MX? waterco.com.my. (43)
09:11:23.557357 60.51.231.186.53 > 220.239.253.18.23002:  29989* 1/2/4 MX mx.waterco.com.my. 10 (146)

	dig -b0.0.0.0#23002 +norec mx waterco.com.my +dnssec @60.51.231.186

09:12:01.789360 220.239.253.18.23002 > 60.51.231.186.53:  14578 [1au] MX? waterco.com.my. (43)
09:12:02.166798 60.51.231.186.53 > 220.239.253.18.23002:  14578* 1/2/4 MX mx.waterco.com.my. 10 (146)

> # dig waterco.com.my mx
> 
> ; <<>> DiG 9.4.0 <<>> waterco.com.my mx
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1197
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; QUESTION SECTION:
> ;waterco.com.my.                        IN      MX
> 
> ;; ANSWER SECTION:
> waterco.com.my.         3600    IN      MX      10 mx.waterco.com.my.
> 
> ;; AUTHORITY SECTION:
> waterco.com.my.         3597    IN      NS      ns2.waterco.com.my.
> waterco.com.my.         3597    IN      NS      ns1.waterco.com.my.
> 
> ;; ADDITIONAL SECTION:
> mx.waterco.com.my.      3600    IN      A       60.51.231.187
> 
> ;; Query time: 14 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu May 24 20:16:10 2007
> ;; MSG SIZE  rcvd: 103
> 
> 
> # dig @ns1.waterco.com.my waterco.com.my mx
> 
> ; <<>> DiG 9.4.0 <<>> @ns1.waterco.com.my waterco.com.my mx
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> 
> 
> I've contacted the domain owner but they seem to say that everything's alrigh
> t at their end. Can anybody help verify if you guys are also seing the same t
> hing? Any assistance rendered is greatly appreciated. Thanks!
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list