Re: Something other than port 53 is blocking the LAN based BIND9 Servers
Mike Lieberman wrote: > The newer router blocks my local BIND servers (ONLY not clients using > downstream servers) from receiving anything from the Internet. OUR BIND > servers still have the local networks, but nothing else. Your explanation is rather obtuse, but I think you mean that your BIND servers can not do recursive lookups. Rather than receive/answer authoritative queries. Do your queries originate from port-53? That is not the default anymore, AFAIK. > The question I need resolved by the proper group/forum is: What port or > technology is doing the blocking? The ISP has no idea. No, the ISP probably has no idea. Might even be their FTTH ONT system. > I have tried three of the new routers but all blocked my servers. I > tried a replacement EoL router and that works. Without changing > anything on the network, other than the physical router, it was like > flipping a switch. I assume it's a GPON, and therefore you can't easily tcpdump on the outside like you can with a plan PPPoE with VDSL. signature.asc Description: PGP signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Something other than port 53 is blocking the LAN based BIND9 Servers
Recommend you run tcpdump on the affected server: tcpdump -n -i ethxxx port 53 This should give you a better lay of the land instead of observational troubleshooting. If you do not see packets leaving then there is something on your side. If you see port 53 packets leaving and not returning could be many things but at least you know your putting them out there. Armed with that info you might be able to convince the ISP to dig (no pun intended .. okay intended) harder. Good hunting. John Sent from Nine<http://www.9folders.com/> From: Mike Lieberman Sent: Sunday, March 5, 2023 9:47 PM To: bind-users@lists.isc.org Subject: Something other than port 53 is blocking the LAN based BIND9 Servers Hi, I am new here, but have been using BIND since 1994. I am confused by the issue herein and maybe someone has an idea of at least what group I should be talking to. I have a Debian based operation and my BIND9 servers run on Debian. BUT... This is really about BIND as it interacts with my ISP supplied FTTH routers. There is apparent port blocking of the servers ONLY using their newer routers and not the older ones. I can't figure out which port is being blocked because UDP and TCP port 53 is open in all cases and works from any client (including a client application running from Terminal on a server). (Once again, my BIND servers work fine without errors.) My ISP (PLDT Philippines) has had a FTTH router that allowed my three BIND servers to work flawlessly. It didn't require a whitelist on a firewall. And all clients could either use our LAN based DNS service or a public one. DIG and NSLOOKUP (yes I know is has been obsoleted, but net-tools still has it) works. But older Router reached EoL and the ISP wanted to change it out to its new FTTH router. And that is when I hit a wall. The newer router blocks my local BIND servers (ONLY not clients using downstream servers) from receiving anything from the Internet. OUR BIND servers still have the local networks, but nothing else. So, with the new router, my clients can access a public DNS server downstream and get FQDN resolved. The new router allows remote DNS lookups but denies my local BIND servers access to resolve the same non-local addresses. The ISP's EoL equipment is really no longer good for other reasons but I can't use the new one. The question I need resolved by the proper group/forum is: What port or technology is doing the blocking? The ISP has no idea. I have tried three of the new routers but all blocked my servers. I tried a replacement EoL router and that works. Without changing anything on the network, other than the physical router, it was like flipping a switch. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Something other than port 53 is blocking the LAN based BIND9 Servers
Hi, I am new here, but have been using BIND since 1994. I am confused by the issue herein and maybe someone has an idea of at least what group I should be talking to. I have a Debian based operation and my BIND9 servers run on Debian. BUT... This is really about BIND as it interacts with my ISP supplied FTTH routers. There is apparent port blocking of the servers ONLY using their newer routers and not the older ones. I can't figure out which port is being blocked because UDP and TCP port 53 is open in all cases and works from any client (including a client application running from Terminal on a server). (Once again, my BIND servers work fine without errors.) My ISP (PLDT Philippines) has had a FTTH router that allowed my three BIND servers to work flawlessly. It didn't require a whitelist on a firewall. And all clients could either use our LAN based DNS service or a public one. DIG and NSLOOKUP (yes I know is has been obsoleted, but net-tools still has it) works. But older Router reached EoL and the ISP wanted to change it out to its new FTTH router. And that is when I hit a wall. The newer router blocks my local BIND servers (ONLY not clients using downstream servers) from receiving anything from the Internet. OUR BIND servers still have the local networks, but nothing else. So, with the new router, my clients can access a public DNS server downstream and get FQDN resolved. The new router allows remote DNS lookups but denies my local BIND servers access to resolve the same non-local addresses. The ISP's EoL equipment is really no longer good for other reasons but I can't use the new one. The question I need resolved by the proper group/forum is: What port or technology is doing the blocking? The ISP has no idea. I have tried three of the new routers but all blocked my servers. I tried a replacement EoL router and that works. Without changing anything on the network, other than the physical router, it was like flipping a switch. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
