Unable to browse from external network in SplitDNS

Warren Kumari warren at kumari.net
Wed Mar 18 13:35:04 UTC 2020


On Wed, Mar 18, 2020 at 9:03 AM Purva Rawan <purvar at cdac.in> wrote:

> Hello ,
>
> We have configured splitDNS .Bind version is 9.9.2.We are able to lookup
> and browse to particular URL( e.g.https://registry.npmjs.org) from
> internal network but the same URL when we tried from external network ,it
> failed to browse ,but able to do nslookup.We checked tcpdump logs and
> observed that DNS protocol switched from udp to tcp.
>
> Tcpdump logs for reference
>
> 17:39:28.380918 ARP, Request who-has 196.1.113.242 tell 196.1.113.248,
> length 28
>
> 17:39:28.381205 ARP, Reply 196.1.113.242 is-at 00:09:0f:09:00:1a, length 46
>
> 17:39:30.395995 IP 196.1.113.242.54930 > 196.1.113.248.domain: Flags [S],
> seq 2177054283, win 14600, options [mss 1460,sackOK,TS val 2512104 ecr
> 0,nop,wscale 7], length 0
>
> 17:39:38.420575 IP 196.1.113.242.54930 > 196.1.113.248.domain: Flags [S],
> seq 2177054283, win 14600, options [mss 1460,sackOK,TS val 2520128 ecr
> 0,nop,wscale 7], length 0
>
> 17:39:54.451991 IP 196.1.113.242.54930 > 196.1.113.248.domain: Flags [S],
> seq 2177054283, win 14600, options [mss 1460,sackOK,TS val 2536160 ecr
> 0,nop,wscale 7], length 0
>
> 17:40:26.483591 IP 196.1.113.242.54930 > 196.1.113.248.domain: Flags [S],
> seq 2177054283, win 14600, options [mss 1460,sackOK,TS val 2568192 ecr
> 0,nop,wscale 7], length 0
>
> Kindly help to resolve the same.
>
You appear to have network / firewall, not DNS issues -- 196.1.113.242 is
sending SYN (open a connection) packets to ns1.cdac.in, but is not getting
any reply packets from it (assuming you included all of the tcpdump output)
- this either means that ns1.cdac.in was down, or, more likely,
that 196.1.113.242 cannot send packets to it on port 53.
As a quick and dirty test, can you telnet from 196.1.113.242 to port 53
on 196.1.113.248?

W




> Regards,
>
> Purva Rawan
>
>
>
> [image: 150th Anniversary Mahatma Gandhi]
>
> ------------------------------------------------------------------------------------------------------------
>
> [ C-DAC is on Social-Media too. Kindly follow us at:
> Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]
>
> This e-mail is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies and the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this email
> is strictly prohibited and appropriate legal action will be taken.
> ------------------------------------------------------------------------------------------------------------
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200318/00cc53fc/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.jpg
Type: image/jpeg
Size: 7789 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200318/00cc53fc/attachment-0001.jpg>


More information about the bind-users mailing list