DNS Queries from port 53 blocked?

Charles Steinkuehler charles at steinkuehler.net
Thu Oct 14 16:56:05 CDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The DNS server asking the questions is local (well sitting in San
Antonio, actually), is the master for newtek.com (among others) and is
sitting on the 199.79.203.0/24 IP block we control (our ISP is actually
secondary for several of our domains, and advertises routes for our IP
block on our behalf).

Anyway, the issue is not related to firewall rules on our end or at our
ISP, but it looks like the remote end (dns1-4.name-services.com) is
dropping query traffic if the *SOURCE* port is 53 (or perhaps any low
port?).

I have worked around the issue by removing the query port option from
our named.conf which was specifying port 53 as the query source.

I just hadn't seen this behavior before, and am wondering if anyone else
had seen this and if it is becoming common (like the port 25 blocks).

On 10/14/2010 4:40 PM, Joe Brouhard wrote:
> Is this your local DNS server, or an ISP DNS Server?
> 
> I've heard of some ISP's blocking incoming DNS queries unless they're on
> their local LAN (i.e. their IP subset).  But this sounds more like a case of
> the DNS server in question having questionable firewall rules, or the DNS
> server is simply offline.
> 
> On Thu, Oct 14, 2010 at 4:29 PM, Charles Steinkuehler <
> charles at steinkuehler.net> wrote:
> 
> I am trying to debug a DNS issue we're having with a few domains, and I
> have run across some strange behavior.  If I directly query their DNS
> using dig, I get a response.  If, however, I let my DNS server ask
> (using a source port of 53), the query seems to drop into a black hole.
> 
> The "good" queries, generated by 'dig mx mwmg.com @<theirIP>
>>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
> bytes
>>>> 16:22:35.929965 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53:  64781+ MX?
> mwmg.com. (26)
>>>> 16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774:  64781*-
> 2/5/5 mwmg.com. MX[|domain]
>>>> 16:22:35.981553 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53:  24533+ MX?
> mwmg.com. (26)
>>>> 16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774:  24533*-
> 2/5/5 mwmg.com. MX[|domain]
>>>> 16:22:36.041330 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53:  28663+ MX?
> mwmg.com. (26)
>>>> 16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774:  28663*-
> 2/5/5 mwmg.com. MX[|domain]
>>>> 16:22:36.091515 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53:  29634+ MX?
> mwmg.com. (26)
>>>> 16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none],
> proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774:  29634*-
> 2/5/5 mwmg.com. MX[|domain]
> 
> The "bad" queries, when I let my DNS server do the asking for me:
>>>> 16:23:13.273239 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53:  23036 [1au] MX?
> mwmg.com. (37)
>>>> 16:23:15.277325 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53:  64536 [1au] MX?
> mwmg.com. (37)
>>>> 16:23:17.281891 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53:  34458 [1au] MX?
> mwmg.com. (37)
>>>> 16:23:19.286253 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53:  35884 MX?
> mwmg.com. (26)
>>>> 16:23:21.286655 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53:  65460 MX?
> mwmg.com. (26)
>>>> 16:23:23.291087 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53:  59086 MX?
> mwmg.com. (26)
>>>> 16:23:25.295724 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53:  5122 MX?
> mwmg.com. (26)
>>>> 16:23:27.300226 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53:  53089 MX?
> mwmg.com. (26)
>>>> 16:23:29.304645 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53:  12885 MX?
> mwmg.com. (26)
>>>> 16:23:37.306880 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53:  21131 MX?
> mwmg.com. (26)
> 
> So...have folks started dropping traffic originating from port 53?!?
> 
> How did I miss this memo, or am I missing something obvious in the above?
> 
_______________________________________________
KCLUG mailing list
KCLUG at kclug.org
http://kclug.org/mailman/listinfo/kclug
>>

- -- 
Charles Steinkuehler
charles at steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky3fHUACgkQLywbqEHdNFwwSgCg89Dj/TnkCZLhf8WCjOW+6WeB
lWMAmwakDxDj91BRGgqiyP7ENIZZhHyG
=/VhC
-----END PGP SIGNATURE-----

More information about the KCLUG mailing list