At Wed, 10 Sep 2008 13:59:36 +0200,
"Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote:
> I finally learned some more about the Cisco ASA and was able to
> capture all packages to and from the name server. When the recursive
> requests fail, there is no trace of communication on the ASA - not
> even the
* JINMEI Tatuya / [EMAIL PROTECTED]@C#:H <[EMAIL PROTECTED]> [2008-08-15]:
> At Fri, 15 Aug 2008 10:27:13 +1000,
> Mark Andrews <[EMAIL PROTECTED]> wrote:
>
> > > > > fctx 0x87b7b20(images.yandex.ru/A'): query
> > > > > fctx 0x87b7b20(images.yandex.ru/A'): done
> > > >
> > > > This seems to indica
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Hans F. Nordhaug
> Sent: Saturday, August 16, 2008 3:49 AM
> To: [bind-users]
> Subject: Re: Recursive queries fail if query source port is not fixed
>
> * Steven Stromer <[EM
* Andrey G. Sergeev (AKA Andris) <[EMAIL PROTECTED]> [2008-08-14]:
> Hello Hans,
>
>
> what about any suspicious syslog messages from your ASA?
Nothing suspicious. (I assume that suspicious stuff is reported in
level 4, and not 5/6)
> Have you used the Packet Tracer tool to discover and debug
* Steven Stromer <[EMAIL PROTECTED]> [2008-08-15]:
> I doubt that this is at all pertinent, but I was experiencing similar
> behavior once I patched a client a few weeks ago and took them off
> port 53. Recursive requests were failing three out of every four
> times they were made, yet digs w
I doubt that this is at all pertinent, but I was experiencing similar
behavior once I patched a client a few weeks ago and took them off
port 53. Recursive requests were failing three out of every four
times they were made, yet digs with trace worked. The company uses a
crappy Netgear firew
At Fri, 15 Aug 2008 10:27:13 +1000,
Mark Andrews <[EMAIL PROTECTED]> wrote:
> > > > fctx 0x87b7b20(images.yandex.ru/A'): query
> > > > fctx 0x87b7b20(images.yandex.ru/A'): done
> > >
> > > This seems to indicate creating a query socket somehow failed. Can
> > > you build BIND by hand to see if yo
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of JINMEI Tatuya /
> > Sent: Thursday, August 14, 2008 3:21 PM
> > To: Hans F. Nordhaug
> > Cc: bind-users@isc.org
> > Subject: Re: Recursive quer
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of JINMEI Tatuya /
> Sent: Thursday, August 14, 2008 3:21 PM
> To: Hans F. Nordhaug
> Cc: bind-users@isc.org
> Subject: Re: Recursive queries fail if query source port is not fix
At Thu, 14 Aug 2008 15:20:38 +0200,
> fctx 0xb3d04278(./NS'): destroy
> resquery 0xb3f02260 (fctx 0x87b7b20(images.yandex.ru/A)): response
> fctx 0x87b7b20(images.yandex.ru/A'): noanswer_response
> fctx 0x87b7b20(images.yandex.ru/A'): cache_message
> fctx 0x87b7b20(images.yandex.ru/A'): cancelquer
PM
To: bind-users@isc.org
Subject: Re: Recursive queries fail if query source port is not fixed
* Jeff Lightner <[EMAIL PROTECTED]> [2008-08-14]:
> Can you run "rpm -qa |grep -i bind" to verify the version of BIND
> packages you have? That is I'm looking for the full ver
Hans Fredrik Nordhaug wrote:
>> what about any suspicious syslog messages from your ASA?
>
> Nothing suspicious. (I assume that suspicious stuff is reported in
> level 4, and not 5/6)
Would it be possible to remove the ASA from the equation completely?
Also, have you done any packet captures on
* Andrey G. Sergeev (AKA Andris) <[EMAIL PROTECTED]> [2008-08-14]:
> Hello Hans,
>
>
> what about any suspicious syslog messages from your ASA?
Nothing suspicious. (I assume that suspicious stuff is reported in
level 4, and not 5/6)
> Have you used the Packet Tracer tool to discover and debug
* Jeff Lightner <[EMAIL PROTECTED]> [2008-08-14]:
> Can you run "rpm -qa |grep -i bind" to verify the version of BIND
> packages you have? That is I'm looking for the full version you're
> using and not just 9.3.4-P1.
bind-9.3.4-6.0.2.P1.el5_2
bind-libs-9.3.4-6.0.2.P1.el5_2
bind-utils-9.3.4-6
ev (AKA Andris)
Sent: Thursday, August 14, 2008 10:11 AM
To: bind-users@isc.org
Subject: Re: Recursive queries fail if query source port is not fixed
Hello Hans,
what about any suspicious syslog messages from your ASA? Have you used
the Packet Tracer tool to discover and debug the way packets are
pro
Hello Hans,
what about any suspicious syslog messages from your ASA? Have you used
the Packet Tracer tool to discover and debug the way packets are processed?
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
This thread is turning too long, but I can't give up yet - sorry,
everyone.
* Andrey G. Sergeev (AKA Andris) <[EMAIL PROTECTED]> [2008-08-14]:
[cut]
> > Thx for replying. I did a query for the a record of images.yandex.ru
> > with and without the trace. With trace, I get a reply - without
> > tra
Hello Hans,
Thu, 14 Aug 2008 14:05:21 +0200 Hans F. Nordhaug wrote:
>> Assuming that your name servers aren't authoritative for the, say,
>> yandex.ru, ku.dk and asahi.co.jp zones, please post here the
>> results of doing at least one command suggested below without the
>> query-source directiv
* Andrey G. Sergeev (AKA Andris) <[EMAIL PROTECTED]> [2008-08-14]:
> Hello Hans,
[cut]
> Assuming that your name servers aren't authoritative for the, say,
> yandex.ru, ku.dk and asahi.co.jp zones, please post here the results of
> doing at least one command suggested below without the query-sour
Hello Hans,
On 14.08.2008 11:48, Hans F. Nordhaug wrote:
> * Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]:
>>> * Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]:
Does "dig ns . @198.41.0.4" succeed when run from the box
running the nameserver?
>>> Yes.
>>>
>>> I still don't underst
* Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]:
>
> > * Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]:
> > >
> > > Does "dig ns . @198.41.0.4" succeed when run from the box
> > > running the nameserver?
> >
> > Yes.
> >
> > I still don't understand why most recursive queries only works aft
> * Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]:
> >
> > Does "dig ns . @198.41.0.4" succeed when run from the box
> > running the nameserver?
>
> Yes.
>
> I still don't understand why most recursive queries only works after
> many, many tries - argh. Oh, I just tested doing one query
* Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]:
>
> Does "dig ns . @198.41.0.4" succeed when run from the box
> running the nameserver?
Yes.
I still don't understand why most recursive queries only works after
many, many tries - argh. Oh, I just tested doing one query, waiting
30 s
* Kevin Darcy <[EMAIL PROTECTED]> [2008-08-14]:
> Hans F. Nordhaug wrote:
> > * Hans F. Nordhaug <[EMAIL PROTECTED]> [2008-08-14]:
> >
> >> * Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]:
> >>
> >>> My guess is you have a firewall that is only allowing port 53 outbound.
> >>>
> >>> Are yo
Does "dig ns . @198.41.0.4" succeed when run from the box
running the nameserver?
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
Hans F. Nordhaug wrote:
> * Hans F. Nordhaug <[EMAIL PROTECTED]> [2008-08-14]:
>
>> * Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]:
>>
>>> My guess is you have a firewall that is only allowing port 53 outbound.
>>>
>>> Are you running iptables? If so does turning it off temporarily resol
* Hans F. Nordhaug <[EMAIL PROTECTED]> [2008-08-14]:
> * Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]:
> > My guess is you have a firewall that is only allowing port 53 outbound.
> >
> > Are you running iptables? If so does turning it off temporarily resolve
> > the issue? Is there a firewall/
* Jeff Lightner <[EMAIL PROTECTED]> [2008-08-14]:
> You said you installed 9.3.4-P1.
>
> Was the update you did from a repository updated after July 10th?
>
> I believe July 10th is the day RedHat back ported the fix into 9.3.4-P1.
> CentOS is a binary compile of RHEL sources so it seems the 9.
PM
To: bind-users@isc.org
Subject: Re: Recursive queries fail if query source port is not fixed
* JINMEI Tatuya / [EMAIL PROTECTED]@C#:H <[EMAIL PROTECTED]> [2008-08-14]:
> At Thu, 14 Aug 2008 01:42:40 +0200,
> "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote:
>
> > >
* JINMEI Tatuya / [EMAIL PROTECTED]@C#:H <[EMAIL PROTECTED]> [2008-08-14]:
> At Thu, 14 Aug 2008 01:42:40 +0200,
> "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote:
>
> > > Do you mean any query always fails, or some queries sometime fail
> > > (while some others succeed)?
> >
> > Thx for replying.
>
At Thu, 14 Aug 2008 01:42:40 +0200,
"Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote:
> > Do you mean any query always fails, or some queries sometime fail
> > (while some others succeed)?
>
> Thx for replying.
>
> Any recursive query, i.e., any query for some domain the server isn't
> authorative f
* JINMEI Tatuya / [EMAIL PROTECTED]@C#:H <[EMAIL PROTECTED]> [2008-08-14]:
> At Wed, 13 Aug 2008 09:36:18 +0200,
> "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote:
>
> > In the quest for securing the name servers in a company I try to help,
> > I have gotten into to trouble. The company is running Ce
* Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]:
> My guess is you have a firewall that is only allowing port 53 outbound.
>
> Are you running iptables? If so does turning it off temporarily resolve
> the issue? Is there a firewall/switch upstream from your server that
> needs to be adjusted?
>
At Wed, 13 Aug 2008 09:36:18 +0200,
"Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote:
> In the quest for securing the name servers in a company I try to help,
> I have gotten into to trouble. The company is running CentOS 5.0 and I
> have updated their Bind to 9.3.4_P1. In addition, I planned to remov
My guess is you have a firewall that is only allowing port 53 outbound.
Are you running iptables? If so does turning it off temporarily resolve
the issue? Is there a firewall/switch upstream from your server that
needs to be adjusted?
We're running RHEL 5 with 9.3.4-P1 and it works fine here wi
35 matches
Mail list logo
