DNS Queries from port 53 blocked?

Thu Oct 14 16:29:24 CDT 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am trying to debug a DNS issue we're having with a few domains, and I
have run across some strange behavior.  If I directly query their DNS
using dig, I get a response.  If, however, I let my DNS server ask
(using a source port of 53), the query seems to drop into a black hole.

The "good" queries, generated by 'dig mx mwmg.com @<theirIP>
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 16:22:35.929965 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53:  64781+ MX? mwmg.com. (26)
> 16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774:  64781*- 2/5/5 mwmg.com. MX[|domain]
> 16:22:35.981553 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53:  24533+ MX? mwmg.com. (26)
> 16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774:  24533*- 2/5/5 mwmg.com. MX[|domain]
> 16:22:36.041330 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53:  28663+ MX? mwmg.com. (26)
> 16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774:  28663*- 2/5/5 mwmg.com. MX[|domain]
> 16:22:36.091515 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53:  29634+ MX? mwmg.com. (26)
> 16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774:  29634*- 2/5/5 mwmg.com. MX[|domain]

The "bad" queries, when I let my DNS server do the asking for me:
> 16:23:13.273239 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53:  23036 [1au] MX? mwmg.com. (37)
> 16:23:15.277325 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53:  64536 [1au] MX? mwmg.com. (37)
> 16:23:17.281891 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53:  34458 [1au] MX? mwmg.com. (37)
> 16:23:19.286253 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53:  35884 MX? mwmg.com. (26)
> 16:23:21.286655 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53:  65460 MX? mwmg.com. (26)
> 16:23:23.291087 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53:  59086 MX? mwmg.com. (26)
> 16:23:25.295724 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53:  5122 MX? mwmg.com. (26)
> 16:23:27.300226 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53:  53089 MX? mwmg.com. (26)
> 16:23:29.304645 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53:  12885 MX? mwmg.com. (26)
> 16:23:37.306880 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53:  21131 MX? mwmg.com. (26)

So...have folks started dropping traffic originating from port 53?!?

How did I miss this memo, or am I missing something obvious in the above?

- -- 
Charles Steinkuehler
charles at steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky3djQACgkQLywbqEHdNFxX0gCfchNpsCEkLQzc/hDncxDK/YGZ
BToAn00jwPV7OT9UjQ4wyLKB/kGS7OqQ
=oV+d
-----END PGP SIGNATURE-----