subject:"DNS requests error sending response\: host unreachable"

DNS requests error sending response: host unreachable

2012-03-12 Thread Romgo

Dear community,

I do have many error in my Bind's log file such as :

client 192.168.201.1#29404: error sending response: host unreachable

It seems that I have an iptables issue as each time I shut iptables I don't
have anymore this message showing up.

I saw that my firewall is dropping packets from the DNS server itself
towards the client, as the source port is SPT=53/UDP.

I am using bind 9.6, it should use random port >1024 for the source port.
(I didn't specify query-source parameter).

Nevertheless dns resolution seems to be working find.

Any idea ?


Regards,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Chuck Swiger

On Mar 12, 2012, at 8:09 AM, Romgo wrote:
> Dear community,
> 
> I do have many error in my Bind's log file such as :
> 
> client 192.168.201.1#29404: error sending response: host unreachable
> 
> It seems that I have an iptables issue as each time I shut iptables I don't 
> have anymore this message showing up.

You're probably exhausting the firewall state table with DNS traffic under 
load, causing the traffic to be blocked with an ICMP "host unreachable" 
response.

> I saw that my firewall is dropping packets from the DNS server itself towards 
> the client, as the source port is SPT=53/UDP.
> 
> I am using bind 9.6, it should use random port >1024 for the source port. (I 
> didn't specify query-source parameter).
> 
> Nevertheless dns resolution seems to be working find.

Adjust your firewall to permit UDP and TCP traffic needed for DNS without 
keeping state, or only keep state on external traffic, but not between your 
nameserver(s) and your local clients...

Regards,
-- 
-Chuck

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Romgo

Here is my Iptables configuration for bind :

# prod.dns.in
$IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
192.168.201.2 -s 0/0
$IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
192.168.201.2 -s 0/0


# OUTPUT
#-
# prod.dns.out
$IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s
192.168.201.2 -d 0/0
$IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s
192.168.201.2 -d 0/0

My issue is between two Bind servers. The one having the error messages, is
my Public DNS server, used by the internal server as forwarders.
here is the drop from the firewall.

 [FW-DROP] IN= OUT=eth1 SRC=192.168.200.2 DST=192.168.201.1 LEN=81 TOS=0x00
PREC=0x00 TTL=64 ID=65231 PROTO=UDP SPT=53 DPT=37513 LEN=61 UID=108 GID=111

doesn't seems to be a TCP issue as the packet is UDP.

Any idea ?

Regards,

On 12 March 2012 18:00, Chuck Swiger  wrote:

> On Mar 12, 2012, at 8:09 AM, Romgo wrote:
> > Dear community,
> >
> > I do have many error in my Bind's log file such as :
> >
> > client 192.168.201.1#29404: error sending response: host unreachable
> >
> > It seems that I have an iptables issue as each time I shut iptables I
> don't have anymore this message showing up.
>
> You're probably exhausting the firewall state table with DNS traffic under
> load, causing the traffic to be blocked with an ICMP "host unreachable"
> response.
>
> > I saw that my firewall is dropping packets from the DNS server itself
> towards the client, as the source port is SPT=53/UDP.
> >
> > I am using bind 9.6, it should use random port >1024 for the source
> port. (I didn't specify query-source parameter).
> >
> > Nevertheless dns resolution seems to be working find.
>
> Adjust your firewall to permit UDP and TCP traffic needed for DNS without
> keeping state, or only keep state on external traffic, but not between your
> nameserver(s) and your local clients...
>
> Regards,
> --
> -Chuck
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Chuck Swiger

On Mar 12, 2012, at 1:24 PM, Romgo wrote:
> Here is my Iptables configuration for bind :
> 
> # prod.dns.in
> $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d 
> 192.168.201.2 -s 0/0
> $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d 
> 192.168.201.2 -s 0/0

Shouldn't the first line have a space before the minus within "eth1-d"?

Regards,
-- 
-Chuck

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Romgo

Sorry, it has a space, I just made an error by copying.

Yes 192.168.201.2 is dropped because it uses source port 53. I don't have
any iptables rule for this.
I don't understand why there is a packet with source port 53.





On 12 March 2012 21:33, Chuck Swiger  wrote:

> On Mar 12, 2012, at 1:24 PM, Romgo wrote:
> > Here is my Iptables configuration for bind :
> >
> > # prod.dns.in
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
> 192.168.201.2 -s 0/0
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
> 192.168.201.2 -s 0/0
>
> Shouldn't the first line have a space before the minus within "eth1-d"?
>
> Regards,
> --
> -Chuck
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Mark Andrews


In message 
, Romgo writes:
> 
> Here is my Iptables configuration for bind :
> 
> # prod.dns.in
> $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
> 192.168.201.2 -s 0/0
> $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
> 192.168.201.2 -s 0/0
> 
> 
> # OUTPUT
> #-
> # prod.dns.out
> $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s
> 192.168.201.2 -d 0/0
> $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s
> 192.168.201.2 -d 0/0

This is obviously wrong.  You want to be looking at the source port not
the destination port for reply traffic.
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-13 Thread Romgo

I see, but It should be statefull right ?


On 12 March 2012 23:57, Mark Andrews  wrote:

>
> In message <
> caaoqnkg-xfkws_fen9kedub7w19vf4jocsfp52lb8ixv5+g...@mail.gmail.com>
> , Romgo writes:
> >
> > Here is my Iptables configuration for bind :
> >
> > # prod.dns.in
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
> > 192.168.201.2 -s 0/0
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
> > 192.168.201.2 -s 0/0
> >
> >
> > # OUTPUT
> > #-
> > # prod.dns.out
> > $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s
> > 192.168.201.2 -d 0/0
> > $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s
> > 192.168.201.2 -d 0/0
>
> This is obviously wrong.  You want to be looking at the source port not
> the destination port for reply traffic.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-13 Thread lst_hoe02


Zitat von Romgo :


I see, but It should be statefull right ?



If using stateful UPD filtering you might get hit by short timeout  
values for UDP state matching, so packets get dropped if the query is  
too slow.


Regards

Andreas


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-13 Thread Romgo

All right.

this seems to correct the issue.
But that's the first time I had to open the firewall for a packet answer.

weird.

Thanks for the help.



On 13 March 2012 10:19,  wrote:

> Zitat von Romgo :
>
>
>  I see, but It should be statefull right ?
>>
>>
> If using stateful UPD filtering you might get hit by short timeout values
> for UDP state matching, so packets get dropped if the query is too slow.
>
> Regards
>
> Andreas
>
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-14 Thread lst_hoe02


Zitat von Romgo :


All right.

this seems to correct the issue.
But that's the first time I had to open the firewall for a packet answer.

weird.


It is a somewhat special case. UDP by itself is not stateful at all so  
any stateful firewall have to use some timeout values to decide if the  
"connection" is alive or not. The timeout is set really short most of  
the time to not run out of resources because there can be many UDP  
"connections" and most of them are only two packets big (one out, one  
incoming). On the other hand a DNS query can take a lot of time until  
a answer packet is on the way, so it might get dropped because  
"closed" connection.
Normaly you would not notice at all because DNS is designed to cope  
with failed/timeout querys and the next attempt is more faster because  
of caching and finally get through. So basically you have two options:

- Ignore the dropped packets
- Do not use stateful tracking for DNS

Regards

Andreas


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

10 matches

Site Navigation

Mail list logo

Footer information