DNS Queries from port 53 blocked?

Joe Brouhard jbrouhard at gmail.com
Thu Oct 14 16:40:14 CDT 2010 

Is this your local DNS server, or an ISP DNS Server?

I've heard of some ISP's blocking incoming DNS queries unless they're on
their local LAN (i.e. their IP subset).  But this sounds more like a case of
the DNS server in question having questionable firewall rules, or the DNS
server is simply offline.

On Thu, Oct 14, 2010 at 4:29 PM, Charles Steinkuehler <
charles at steinkuehler.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am trying to debug a DNS issue we're having with a few domains, and I
> have run across some strange behavior.  If I directly query their DNS
> using dig, I get a response.  If, however, I let my DNS server ask
> (using a source port of 53), the query seems to drop into a black hole.
>
> The "good" queries, generated by 'dig mx mwmg.com @<theirIP>
> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
> bytes
> > 16:22:35.929965 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53:  64781+ MX?
> mwmg.com. (26)
> > 16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774:  64781*-
> 2/5/5 mwmg.com. MX[|domain]
> > 16:22:35.981553 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53:  24533+ MX?
> mwmg.com. (26)
> > 16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774:  24533*-
> 2/5/5 mwmg.com. MX[|domain]
> > 16:22:36.041330 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53:  28663+ MX?
> mwmg.com. (26)
> > 16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774:  28663*-
> 2/5/5 mwmg.com. MX[|domain]
> > 16:22:36.091515 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53:  29634+ MX?
> mwmg.com. (26)
> > 16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774:  29634*-
> 2/5/5 mwmg.com. MX[|domain]
>
> The "bad" queries, when I let my DNS server do the asking for me:
> > 16:23:13.273239 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53:  23036 [1au] MX?
> mwmg.com. (37)
> > 16:23:15.277325 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53:  64536 [1au] MX?
> mwmg.com. (37)
> > 16:23:17.281891 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53:  34458 [1au] MX?
> mwmg.com. (37)
> > 16:23:19.286253 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53:  35884 MX?
> mwmg.com. (26)
> > 16:23:21.286655 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53:  65460 MX?
> mwmg.com. (26)
> > 16:23:23.291087 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53:  59086 MX?
> mwmg.com. (26)
> > 16:23:25.295724 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53:  5122 MX?
> mwmg.com. (26)
> > 16:23:27.300226 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53:  53089 MX?
> mwmg.com. (26)
> > 16:23:29.304645 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53:  12885 MX?
> mwmg.com. (26)
> > 16:23:37.306880 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53:  21131 MX?
> mwmg.com. (26)
>
> So...have folks started dropping traffic originating from port 53?!?
>
> How did I miss this memo, or am I missing something obvious in the above?
>
> - --
> Charles Steinkuehler
> charles at steinkuehler.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAky3djQACgkQLywbqEHdNFxX0gCfchNpsCEkLQzc/hDncxDK/YGZ
> BToAn00jwPV7OT9UjQ4wyLKB/kGS7OqQ
> =oV+d
> -----END PGP SIGNATURE-----
> _______________________________________________
> KCLUG mailing list
> KCLUG at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>



-- 
Joe Brouhard
jbrouhard at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20101014/2ed1b489/attachment.htm>

More information about the KCLUG mailing list