Hi all, I have a encountered a really strange situation with named and ipsec (with manual keying). I have 2 remote VPN locations for which I tried to setup ipsec with manual keying. If I setup 1 location with manual keying I have no problems everything works fine, but as soon as I add another location I'm having problems with DNS on external interface... VPN works fine, but DNS works for 1-6 minutes and then stops responding on external interface, which makes no sense to me. As soon as I run ipsecctl -F, DNS starts responding, if I restart named it works again for 1-6 minutes. Here is the output for tcpdump with timestamps:
primary (hostname):~# tcpdump -vvvvi bge0 udp and host 1.2.3.4 tcpdump: listening on bge0, link-type EN10MB 22:19:18.439345 cpe-1.2.3.4.socal.res.rr.com.33271 > hostname.example.com.domain: [udp sum ok] 64225+ A? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:19:18.439720 hostname.example.com.domain > cpe-1.2.3.4.socal.res.rr.com.33271: 64225*- q: A? www.example.com. 1/2/2 www.example.com. A[|domain] (ttl 64, id 50486, len 173) 22:19:18.461729 cpe-1.2.3.4.socal.res.rr.com.33271 > hostname.example.com.domain: [udp sum ok] 55514+ AAAA? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:19:18.462034 hostname.example.com.domain > cpe-1.2.3.4.socal.res.rr.com.33271: 55514*- q: AAAA? www.example.com. 0/1/0 ns: example.com. SOA[|domain] (ttl 64, id 55708, len 135) 22:19:18.484200 cpe-1.2.3.4.socal.res.rr.com.33271 > hostname.example.com.domain: [udp sum ok] 57716+ MX? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:19:18.484570 hostname.example.com.domain > cpe-1.2.3.4.socal.res.rr.com.33271: 57716*- q: MX? www.example.com. 0/1/0 ns: example.com. SOA[|domain] (ttl 64, id 43986, len 135) 22:22:11.642593 cpe-1.2.3.4.socal.res.rr.com.33271 > hostname.example.com.domain: [udp sum ok] 42413+ A? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:22:11.642956 hostname.example.com.domain > cpe-1.2.3.4.socal.res.rr.com.33271: 42413*- q: A? www.example.com. 1/2/2 www.example.com. A[|domain] (ttl 64, id 27733, len 173) 22:22:11.711454 cpe-1.2.3.4.socal.res.rr.com.33272 > hostname.example.com.domain: [udp sum ok] 21461+ AAAA? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:22:11.711792 hostname.example.com.domain > cpe-1.2.3.4.socal.res.rr.com.33272: 21461*- q: AAAA? www.example.com. 0/1/0 ns: example.com. SOA[|domain] (ttl 64, id 7519, len 135) 22:22:11.738325 cpe-1.2.3.4.socal.res.rr.com.33272 > hostname.example.com.domain: [udp sum ok] 40868+ MX? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:22:11.738629 hostname.example.com.domain > cpe-1.2.3.4.socal.res.rr.com.33272: 40868*- q: MX? www.example.com. 0/1/0 ns: example.com. SOA[|domain] (ttl 64, id 24317, len 135) 22:24:45.958827 cpe-1.2.3.4.socal.res.rr.com.33272 > hostname.example.com.domain: [udp sum ok] 58601+ A? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:24:50.951011 cpe-1.2.3.4.socal.res.rr.com.33272 > hostname.example.com.domain: [udp sum ok] 58601+ A? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:25:13.469624 cpe-1.2.3.4.socal.res.rr.com.33272 > hostname.example.com.domain: [udp sum ok] 60060+ A? www.example.com. (40) (DF) (ttl 51, id 0, len 68) 22:25:18.455400 cpe-1.2.3.4.socal.res.rr.com.33272 > hostname.example.com.domain: [udp sum ok] 60060+ A? www.example.com. (40) (DF) (ttl 51, id 0, len 68) Here is named log at the time when it's not responding: 23-Jan-2008 22:24:45.958 socket 0x49548a00 1.2.3.4#33272: packet received correctly 23-Jan-2008 22:24:45.958 client 1.2.3.4#33272: UDP request 23-Jan-2008 22:24:45.958 client 1.2.3.4#33272: view non-office: using view 'non-office' 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: request is not signed 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: recursion not available 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: query 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: ns_client_attach: ref = 1 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: query 'www.example.com/A/IN' approved 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: send 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: sendto 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: senddone 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: next 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: ns_client_detach: ref = 0 23-Jan-2008 22:24:45.959 client 1.2.3.4#33272: view non-office: endrequest 23-Jan-2008 22:24:50.951 socket 0x49548a00 1.2.3.4#33272: packet received correctly 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: UDP request 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: using view 'non-office' 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: request is not signed 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: recursion not available 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: query 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: ns_client_attach: ref = 1 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: query 'www.example.com/A/IN' approved 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: send 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: sendto 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: senddone 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: next 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: ns_client_detach: ref = 0 23-Jan-2008 22:24:50.951 client 1.2.3.4#33272: view non-office: endrequest 23-Jan-2008 22:25:13.469 socket 0x49548a00 1.2.3.4#33272: packet received correctly 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: UDP request 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: using view 'non-office' 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: request is not signed 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: recursion not available 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: query 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: ns_client_attach: ref = 1 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: query 'www.example.com/A/IN' approved 23-Jan-2008 22:25:13.469 client 1.2.3.4#33272: view non-office: send 23-Jan-2008 22:25:13.470 client 1.2.3.4#33272: view non-office: sendto 23-Jan-2008 22:25:13.470 client 1.2.3.4#33272: view non-office: senddone 23-Jan-2008 22:25:13.470 client 1.2.3.4#33272: view non-office: next 23-Jan-2008 22:25:13.470 client 1.2.3.4#33272: view non-office: ns_client_detach: ref = 0 23-Jan-2008 22:25:13.470 client 1.2.3.4#33272: view non-office: endrequest 23-Jan-2008 22:25:18.455 socket 0x49548a00 1.2.3.4#33272: packet received correctly 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: UDP request 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: using view 'non-office' 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: request is not signed 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: recursion not available 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: query 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: ns_client_attach: ref = 1 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: query 'www.example.com/A/IN' approved 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: send 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: sendto 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: senddone 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: next 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: ns_client_detach: ref = 0 23-Jan-2008 22:25:18.455 client 1.2.3.4#33272: view non-office: endrequest Apparently, bind gets requests and tries to send them but they never come back. Now, sometimes if I query external interface from the dns server, I get a reply like this: * Response from unexpected source ([VPN_ENDPOINT_IP].61003* host -t www.example.com works always (because it's using TCP?) Any ideas? Tautvydas