Bug 953196

Summary: DIG connection timed out; no servers could be reached
Product: [Fedora] Fedora Reporter: stefanet <stefanet74>
Component: bindAssignee: Tomáš Hozza <thozza>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: ovasik, thozza
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-27 08:44:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Failed dig
none
Ok dig none

Description stefanet 2013-04-17 15:31:45 UTC 
Description of problem:
when i run dig command, eg dig www.google.com, I receive the follow error message

; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> www.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Version-Release number of selected component (if applicable):
bind-utils-9.9.2-7.P2.fc17.x86_64

How reproducible:
Always and with all queries. My pc is behind checkpoint firewall/ips.
The checkpoint shows me the ips logs whith the follow messages:

BAD DNS HEADER 

Steps to Reproduce:
1. install bind-utils
2. run dig command with any domain behind ips/firewall
  
Actual results:

; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> www.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Expected results:

; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> www.google.it @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40807
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.it.                 IN      A

;; ANSWER SECTION:
www.google.it.          164     IN      A       173.194.40.95
www.google.it.          164     IN      A       173.194.40.87
www.google.it.          164     IN      A       173.194.40.88

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 17 17:04:19 2013
;; MSG SIZE  rcvd: 90


Additional info:
nslookup works fine.
I configured a local dns as forwarder with same DNS in resolv.conf and i run
dig www.gogole.com @localhost
it works fine

On different distro it works fine
Comment 1 Fedora Admin XMLRPC Client 2013-04-25 11:38:13 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Tomáš Hozza 2013-04-26 13:56:43 UTC 
Hi.

Please attach network communication dump containing DNS Query packets:

1. when using dig without local recursive DNS server - dig failing
2. when using dig with local recursive DNS server - dig NOT failing

I need to analyse packets sent by dig (failing) and by recursive local DNS server
(working). Without it there is not much information I can use from your Bug
report.

There is also possibility that you have some wrong rule(s) in your firewall.

Thanks!
Comment 3 stefanet 2013-04-29 07:53:37 UTC 
Created attachment 741391 [details]
Failed dig

tcpdump -nv host 172.21.255.22 and udp port 53 or tcp port 53 -w dig-fail.pcap

show failed query
Comment 4 stefanet 2013-04-29 08:14:48 UTC 
Created attachment 741403 [details]
Ok dig

Ok dig

tcpdump -nv host <ip> and udp port 53 or tcp port 53 -w dig-ok.pcap

show local dns query with forwanding to <ip>
Comment 5 Tomáš Hozza 2013-05-02 08:50:26 UTC 
Thank you for those communication dumps. The difference seems to be that
dig sets AD (authentic data) bit when sending a DNS Query out.

Can you please try:
# dig www.google.com +noadflag

If it works I assume you will have to change your firewall settings so it
doesn't drop outgoing DNS Queries with AD bit set.
Comment 6 Tomáš Hozza 2013-05-02 09:00:08 UTC 
Also if you would be interested in what AD bit means in DNS Query, you
can find more information in RFC 6840 [1].

[1] http://tools.ietf.org/html/rfc6840#section-5.7
Comment 7 stefanet 2013-05-02 10:16:59 UTC 
@Tomas Hozza

Hi,

I tried to run

# dig www.google.com +noadflag

and it works.

I tried to stop my firewall

# service iptables stop
# service ip6tables stop

selinux is disabled

and 

# dig www.google.com

it doesn't works.

Regards
Stefanet
Comment 8 Tomáš Hozza 2013-05-02 11:22:07 UTC 
Thank you for testing.

(In reply to comment #7)
> I tried to run
> 
> # dig www.google.com +noadflag
> 
> and it works.
> 
> I tried to stop my firewall
> 
> # service iptables stop
> # service ip6tables stop

I thought the "checkpoint firewall/ips" you've mentioned in the Bug description.
I assume your host firewall should be fine. From Bug description it looks
like the IPS is blocking DNS Queries with AD flag set.

Can you please check the ckeckpoint (IPS) configuration?

Thanks!
Comment 9 stefanet 2013-05-02 12:37:21 UTC 
Ok...

I cannot test checkpoit firewall. I can view log only.

I will speak with the manager of the checkpoint ips/firewall

regards
Stefanet
Comment 10 Tomáš Hozza 2013-05-27 08:44:02 UTC 
Since this issue was most probably caused by too restrictive ips/firewall
settings I'm closing this Bug as NOTABUG.