Good catch, Ray. As usual, you were spot on. Details below... On Tue, 12 Nov 2002 12:30:19 PST Ray Olszewski wrote:
> At 02:44 PM 11/12/02 -0500, Brad Fritz wrote: > > >A small addition to Ray's already comprehensive analysis... > [...] > >3. You have dnscache listening on port 193.37.83.1:53 and traffic > > is allowed to it through the packet filter, but > > /etc/dnscache/env/IPQUERY does not include a line that allows > > queries from pingu-serv.farside.net's address or network. > > This would certainly cause the query to fail, Brad ... but would it fail > with the particular icmp message he is getting? (This is a real question, > not a disagreement phrased as a question.) No, it would not send the icmp message. I actually thought about that before sending my post and then forgot to verify in my haste. Here is what testing revealed: While running: tcpdump -n -i eth0 port 53 or icmp Testing with IPQUERY=11.11.11 : [EMAIL PROTECTED]:~$ dig +short www.google.com @192.168.1.254 ;; connection timed out; no servers could be reached 15:52:58.571963 192.168.21.10.34619 > 192.168.1.254.53: 23740+ A? \ www.google.com. (32) (DF) 15:53:27.528375 192.168.21.10.34619 > 192.168.1.254.53: 7106+ A? \ www.google.com. (32) (DF) [no response, no ICMP traffic] Testing with IPQUERY=192.168 : [EMAIL PROTECTED]:~$ dig +short www.google.com @192.168.1.254 216.239.53.101 15:53:27.879319 192.168.1.254.53 > 192.168.21.10.34619: 7106 1/0/0 A \ 216.239.53.101 (48) (DF) [expected response, no ICMP traffic] Testing with dnscache stopped: [EMAIL PROTECTED]:~$ dig +short www.google.com @192.168.1.254 ;; connection timed out; no servers could be reached 16:01:54.009667 192.168.21.10.34619 > 192.168.1.254.53: 46045+ A? \ www.google.com. (32) (DF) 16:01:54.012534 192.168.1.254 > 192.168.21.10: icmp: 192.168.1.254 udp \ port 53 unreachable [tos 0xc0] 16:01:59.012618 192.168.21.10.34619 > 192.168.1.254.53: 46045+ A? \ www.google.com. (32) (DF) 16:01:59.015371 192.168.1.254 > 192.168.21.10: icmp: 192.168.1.254 udp \ port 53 unreachable [tos 0xc0] [no response, ICMP port unreachable message] Thanks for keeping me honest, Ray. :-) --Brad ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd522.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
