Re: dig
On Thu, 22 Aug 2013 11:14:04 +1000 Colin House articulated: On 22/08/2013 9:34 AM, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. Have you tested against another NS? I ran into a similar problem when setting up unbound as a local recursor recently on a 9.1-STABLE (r251985) box. dig +trace domain would return (next to) nothing. dig +trace domain @8.8.8.8 worked as expected. I found it was the access-control configuration of unbound. Changing my access-control: ::1 allow to access-control: ::1 allow_snoop restored the +trace functionality. I'm not sure how this translates with bind.. Perhaps the defaults have changed between the versions that you're running (if you're running the base versions on 7.2 and 9.1) or your recursive server isn't allowing it on 9.2? Fwiw, in unbound, allow allows recursive lookups, allow_snoop allows both recursive and non-recursive lookups. $ dig freebsd.org +trace ; DiG 9.6.-ESV-R7-P2 freebsd.org +trace ;; global options: +cmd ;; Received 12 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms $ drill freebsd.org +trace ;; -HEADER- opcode: QUERY, rcode: NOERROR, id: 28341 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; +trace. IN A ;; ANSWER SECTION: +trace. 10 IN A 69.16.143.110 +trace. 10 IN A 66.152.109.110 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 34 msec ;; SERVER: 209.18.47.62 ;; WHEN: Thu Aug 22 06:35:54 2013 ;; MSG SIZE rcvd: 56 I was surprised at the difference between the output of the two commands. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dig
On 21 August 2013, at 18:14, Colin House co...@restecp.com wrote: On 22/08/2013 9:34 AM, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. Have you tested against another NS? I ran into a similar problem when setting up unbound as a local recursor recently on a 9.1-STABLE (r251985) box. dig +trace domain would return (next to) nothing. dig +trace domain @8.8.8.8 worked as expected. I found it was the access-control configuration of unbound. Changing my access-control: ::1 allow to access-control: ::1 allow_snoop restored the +trace functionality. I'm not sure how this translates with bind.. Perhaps the defaults have changed between the versions that you're running (if you're running the base versions on 7.2 and 9.1) or your recursive server isn't allowing it on 9.2? Fwiw, in unbound, allow allows recursive lookups, allow_snoop allows both recursive and non-recursive lookups. After a bunch of testing, I have determined that the problem is the routers. If I use my local DNS servers or remote ones, then it works on all three systems. Three different routers block it somehow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dig
On 22/08/2013 00:34, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. ___ Works for me on 9.0 and 9.1 (and 8.2, 7.1, 7.0) Is there something wrong with your local bind configuration? Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dig
On 21 August 2013, at 17:02, Doug Hardie bc...@lafn.org wrote: On 21 August 2013, at 16:46, Frank Leonhardt fra...@fjl.co.uk wrote: On 22/08/2013 00:34, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. ___ Works for me on 9.0 and 9.1 (and 8.2, 7.1, 7.0) Is there something wrong with your local bind configuration? Regards, Frank. No. The 7.2 config is identical to the 9.1 and there is no bind running on the 9.2. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dig
There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. Works for me on 9.0 and 9.1 (and 8.2, 7.1, 7.0) And on: FreeBSD 10.0-CURRENT #0 r248938: Sun Mar 31 06:24:42 EDT 2013 amd64 Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dig
On 22/08/2013 9:34 AM, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. Have you tested against another NS? I ran into a similar problem when setting up unbound as a local recursor recently on a 9.1-STABLE (r251985) box. dig +trace domain would return (next to) nothing. dig +trace domain @8.8.8.8 worked as expected. I found it was the access-control configuration of unbound. Changing my access-control: ::1 allow to access-control: ::1 allow_snoop restored the +trace functionality. I'm not sure how this translates with bind.. Perhaps the defaults have changed between the versions that you're running (if you're running the base versions on 7.2 and 9.1) or your recursive server isn't allowing it on 9.2? Fwiw, in unbound, allow allows recursive lookups, allow_snoop allows both recursive and non-recursive lookups. - Col ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dig/named - res_nsend: Protocol not supported
Ignore my previously stated question. What I meant to say was: *Why* do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? On Feb 6, 2004, at 9:23, Luke Cowell wrote: Hi I'm running FreeBSD 4.9 and I'm having a little difficulty with named/dig. %uname -a FreeBSD polo.asap.bc.ca 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #1: Thu Feb 5 16:23:04 PST 2004 [EMAIL PROTECTED]:/usr/src/sys/compile/POLO i386 Here's what's happening. %dig @localhost ; DiG 8.3 @localhost ; (2 servers found) ;; res options: init recurs defnam dnsrch ;; res_nsend: Protocol not supported So, I did some reading this is an error that is coming up for those trying to enable IPV6 on their system. I'm not trying to do that , so I got the idea to re-enable IPV6 in the kernel. Well, what do you know, I know get normal output when issuing a dig command. My question is what do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? Luke ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dig/named - res_nsend: Protocol not supported
Luke Cowell disturbed my sleep to write: *Why* do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? Hm...it could be that named is only listening on IPv6 localhost (::1) rather than IPv4 (127.0.0.1) by default, but that seems strange to me. Try grep localhost /etc/hosts and see if you've got entries for both. Are you running the default version of BIND, or a version from ports? Hugh -- Saint Aardvark the Carpeted [EMAIL PROTECTED] Because the plural of Anecdote is Myth. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: dig command for reverse dsn check
On Tue, 7 Jan 2003, JoeB wrote: How do I check my ISP domain name to see if it's DNS server is configured correctly for email reverse DNS lookup? I have used dig isp-domain-name but I can not tell from what it displays what to look for to verify it's configured correctly. The dig display is lacking descriptive verbiage to identify what the information displayed means. Can someone help me please. I'd use: dig -x ip.ad.dr.ess PTR [@name.server] the ANSWER SECTION shows what DNS thinks is the reverse name for that IP. dig -x 66.26.76.83 ptr ; DiG 8.3 -x ptr ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; 83.76.26.66.in-addr.arpa, type = PTR, class = IN ;; ANSWER SECTION: 83.76.26.66.in-addr.arpa. 59m25s IN PTR rdu26-76-083.nc.rr.com. ;; AUTHORITY SECTION: 76.26.66.in-addr.arpa. 59m25s IN NSns1.nc.rr.com. 76.26.66.in-addr.arpa. 59m25s IN NSns2.nc.rr.com. ;; ADDITIONAL SECTION: ns1.nc.rr.com. 33m25s IN A 24.93.67.126 ns2.nc.rr.com. 33m25s IN A 24.93.67.127 ;; Total query time: 0 msec ;; FROM: pooh.ASARian.org to SERVER: default -- 127.0.0.1 ;; WHEN: Tue Jan 7 21:34:00 2003 ;; MSG SIZE sent: 42 rcvd: 146 Thanks for the quick reply, but I need some clarification MY email address = [EMAIL PROTECTED] My email server mail.clvhoh.adelphia.net dig -x 66.26.76.83 ptr what IP address to use in dig command? The ip address of the domain name or the email server? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed: Hello, I don't know if this is related to post earlier today [FBSD 4.7 reset itself - lots of DENY UDP messages in /var/log/security], but I've been trying to trouble shoot the DENY messages in /var/log/security using dig: # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection refused # I get connection refused for this. Checking security: Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP snip:1381 128.9.0.107:53 out via sis0 Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1snip:1382 128.9.0.107:53 out via sis0 # Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in/var/log/security
Hi Ruben, Thanks much for the reply - comments inline..., Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Okay, I see what you mean about rule 00619 (probably explains why this rule never appears in ipfw l), and as such, I have three questions based on rule 00619 being bogus: 1] Is this the reason why I am unable to query root-servers? 2] Do I remove it completely - would ipfw still be secure without it completely? 3] If not, should I just amend as: BEFORE $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state AFTER Based on ipfw (8): ### A similar approach can be used for UDP, where an UDP packet coming from the inside will install a dynamic rule to let the response through the firewall: ipfw add check-state ipfw add allow udp from my-subnet to any ipfw add deny udp from any to any $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state CHANGE TO: $fwcmd add allow udp from any to any 53 out via $oif $fwcmd add deny udp from any to any 53 in via $oif I'm basing the above amendments based on: I have a check-state at rule 00500 From the make up of my rule-set, I do not have a rule and explicitly denies udp to port 53 per-se. More clearly, I have these deny rules in place at the moment: $ grep -i deny fwrules $fwcmd add 00020 deny log ip from me to any in $fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin $fwcmd add 00100 deny udp from any to any 520 in via $oif $fwcmd add 00502 deny all from any to any frag $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00850 deny log ip from me to me in via $oif $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $fwcmd add 00900 deny log all from any to any in via $oif $fwcmd add 00910 deny log logamount 500 ip from any to any $ None of which explicitly applies to DNS. I make this point as there *are* udp packets I want to allow in via $oif - 137 - 139 Thanks again for the reply Ruben. If I'm not clear enough in my explanations, I'm quite happy to post my complete rule-set to you (off-list) if you need it to get a better picture. Cheers! Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed: Hello, I don't know if this is related to post earlier today [FBSD 4.7 reset itself - lots of DENY UDP messages in /var/log/security], but I've been trying to trouble shoot the DENY messages in /var/log/security using dig: # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection refused # I get connection refused for this. Checking security: Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP snip:1381 128.9.0.107:53 out via sis0 Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1snip:1382 128.9.0.107:53 out via sis0 # snip Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in/var/log/security
Just checked against http://www.pgp.net/wwwkeys.html to verify: pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts [EMAIL PROTECTED] Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 Verbose: Public Key Server -- Verbose Index ``0xDC92FBD7 '' Type bits/keyIDDate User ID pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts [EMAIL PROTECTED] Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 New! attempt to lookup keyholder on biglumber.com. sig 0x10 DC92FBD7 2002-08-03 [selfsig] Unless I'm missing something., so do enlighten me, please. Stacey On Sun, 2002-10-27 at 17:06, Daniel Harris wrote: On Sun, Oct 27, 2002 at 04:48:34PM +, Stacey Roberts wrote: -snip- Just letting you know that the pgp sig on this message did not verify with my gnupg 1.2.1. -- Daniel Harris -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 05:18:10PM +, Stacey Roberts wrote: Just checked against http://www.pgp.net/wwwkeys.html to verify: pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts [EMAIL PROTECTED] Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 Verbose: Public Key Server -- Verbose Index ``0xDC92FBD7 '' Type bits/keyIDDate User ID pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts [EMAIL PROTECTED] Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 New! attempt to lookup keyholder on biglumber.com. sig 0x10 DC92FBD7 2002-08-03 [selfsig] Unless I'm missing something., so do enlighten me, please. It doesn't verify here either. I think it's because you haven't added the email address you post from as an alias. Ceri -- you can't see when light's so strong you can't see when light is gone To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in/var/log/security
Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state COMMENTED THIS OUT $fwcmd add 00618 allow udp from any to any 53 out via $oif ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security snip Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: snip Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 06:29:16PM +, Stacey Roberts wrote: Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security From: Stacey Roberts [EMAIL PROTECTED] To: Ruben de Groot [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 27 Oct 2002 18:29:16 + Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state COMMENTED THIS OUT $fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security snip Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: snip Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net- Connection refused. WHY? [related to FBSD 4.7 reset itself - lots ofDENY UDP mess]ages in /var/log/security]
Hi, I've made the changes to rule 00618 as you've suggested, but now I get a different error: # dig .ns @a.root-servers.net ; DiG 8.3 .ns @a.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # dig .ns @b.root-servers.net ; DiG 8.3 .ns @b.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # I'll not even pretend to know what that means.., Thanks for the pointer to what I missed out in the rule. Stacey On Sun, 2002-10-27 at 18:09, D. Penev wrote: You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: snip Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in/var/log/security
Hello, Thought you'd like to know that the amendments you suggested works for me now. Thank you very much for the time and effort! See: $ dig . ns @c.root-servers.net ; DiG 8.3 . ns @c.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NSL.ROOT-SERVERS.NET. . 6D IN NSM.ROOT-SERVERS.NET. . 6D IN NSI.ROOT-SERVERS.NET. . 6D IN NSE.ROOT-SERVERS.NET. . 6D IN NSD.ROOT-SERVERS.NET. . 6D IN NSA.ROOT-SERVERS.NET. . 6D IN NSH.ROOT-SERVERS.NET. . 6D IN NSC.ROOT-SERVERS.NET. . 6D IN NSG.ROOT-SERVERS.NET. . 6D IN NSF.ROOT-SERVERS.NET. . 6D IN NSB.ROOT-SERVERS.NET. . 6D IN NSJ.ROOT-SERVERS.NET. . 6D IN NSK.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: L.ROOT-SERVERS.NET. 5w6d16h IN A198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A202.12.27.33 I.ROOT-SERVERS.NET. 5w6d16h IN A192.36.148.17 E.ROOT-SERVERS.NET. 5w6d16h IN A192.203.230.10 D.ROOT-SERVERS.NET. 5w6d16h IN A128.8.10.90 A.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A128.63.2.53 C.ROOT-SERVERS.NET. 5w6d16h IN A192.33.4.12 G.ROOT-SERVERS.NET. 5w6d16h IN A192.112.36.4 F.ROOT-SERVERS.NET. 5w6d16h IN A192.5.5.241 B.ROOT-SERVERS.NET. 5w6d16h IN A128.9.0.107 J.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A193.0.14.129 ;; Total query time: 229 msec ;; FROM: Demon.vickiandstacey.com to SERVER: c.root-servers.net 192.33.4.12 ;; WHEN: Sun Oct 27 20:41:04 2002 ;; MSG SIZE sent: 17 rcvd: 436 $ On Sun, 2002-10-27 at 18:09, D. Penev wrote: On Sun, Oct 27, 2002 at 06:29:16PM +, Stacey Roberts wrote: Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of DENY UDP mess]ages in /var/log/security From: Stacey Roberts [EMAIL PROTECTED] To: Ruben de Groot [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], FreeBSD Questions [EMAIL PROTECTED] Date: 27 Oct 2002 18:29:16 + Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state COMMENTED THIS OUT $fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; DiG 8.3 . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security snip Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: snip Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. setup is not supposed to work for UDP packets. there is no handshake as in tcp connections. Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science
