Need help with dns/pf/tcpdump

Mon, 24 Jul 2006 08:25:11 -0700 

Hi!

Need help to understand dns/pf/tcpdump. See below.
ns.foo.bar is a dns slave that makes AXFR zone transfer from my server (mybox). Why is the traffic blocked on the first lines? What kind of traffic is that? Perhaps I don't understand DNS fully, but I thought zone transfers were made using TCP only, and ordinary queries UDP. 

Here's the relevant part of my pf config:

$ext_if = "bge0"
rule 18) pass in log quick on $ext_if inet proto tcp from <dns_slaves> to any port = domain rule 19) pass in log quick on $ext_if inet proto udp from <dns_slaves> to any port = domain 

rule 21) block return in log on $ext_if all

# tcpdump -a -e -o -ttt -i pflog0
Jul 24 05:34:15.090025 rule 21/(match) block in on bge0: ns.foo.bar. 55009 > mybox.domain: [|domain] (DF) Jul 24 05:34:19.089201 rule 21/(match) block in on bge0: ns.foo.bar. 55009 > mybox.domain: [|domain] (DF) Jul 24 05:34:27.090143 rule 21/(match) block in on bge0: ns.foo.bar. 55009 > mybox.domain: [|domain] (DF) Jul 24 05:34:43.107922 rule 18/(match) pass in on bge0: ns.foo.bar. 43646 > mybox.domain: [|tcp] (DF) Jul 24 05:34:46.101496 rule 18/(match) pass in on bge0: ns.foo.bar. 43646 > mybox.domain: [|tcp] (DF) Jul 24 05:34:52.101598 rule 18/(match) pass in on bge0: ns.foo.bar. 43646 > mybox.domain: [|tcp] (DF) Jul 24 05:35:04.102286 rule 18/(match) pass in on bge0: ns.foo.bar. 43646 > mybox.domain: [|tcp] (DF) Jul 24 05:35:28.102625 rule 18/(match) pass in on bge0: ns.foo.bar. 43646 > mybox.domain: [|tcp] (DF)
No transfers were actually made this time, I guess the slaves just checking in and compares serial number of zones. But transfers do work according to logfiles from named. 


Anybody? :-)

Mackan

Reply via email to