Bug 953196
Summary: | DIG connection timed out; no servers could be reached | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | stefanet <stefanet74> | ||||||
Component: | bind | Assignee: | Tomáš Hozza <thozza> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 17 | CC: | ovasik, thozza | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-05-27 08:44:02 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
stefanet
2013-04-17 15:31:45 UTC
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Hi. Please attach network communication dump containing DNS Query packets: 1. when using dig without local recursive DNS server - dig failing 2. when using dig with local recursive DNS server - dig NOT failing I need to analyse packets sent by dig (failing) and by recursive local DNS server (working). Without it there is not much information I can use from your Bug report. There is also possibility that you have some wrong rule(s) in your firewall. Thanks! Created attachment 741391 [details]
Failed dig
tcpdump -nv host 172.21.255.22 and udp port 53 or tcp port 53 -w dig-fail.pcap
show failed query
Created attachment 741403 [details]
Ok dig
Ok dig
tcpdump -nv host <ip> and udp port 53 or tcp port 53 -w dig-ok.pcap
show local dns query with forwanding to <ip>
Thank you for those communication dumps. The difference seems to be that dig sets AD (authentic data) bit when sending a DNS Query out. Can you please try: # dig www.google.com +noadflag If it works I assume you will have to change your firewall settings so it doesn't drop outgoing DNS Queries with AD bit set. Also if you would be interested in what AD bit means in DNS Query, you can find more information in RFC 6840 [1]. [1] http://tools.ietf.org/html/rfc6840#section-5.7 @Tomas Hozza Hi, I tried to run # dig www.google.com +noadflag and it works. I tried to stop my firewall # service iptables stop # service ip6tables stop selinux is disabled and # dig www.google.com it doesn't works. Regards Stefanet Thank you for testing. (In reply to comment #7) > I tried to run > > # dig www.google.com +noadflag > > and it works. > > I tried to stop my firewall > > # service iptables stop > # service ip6tables stop I thought the "checkpoint firewall/ips" you've mentioned in the Bug description. I assume your host firewall should be fine. From Bug description it looks like the IPS is blocking DNS Queries with AD flag set. Can you please check the ckeckpoint (IPS) configuration? Thanks! Ok... I cannot test checkpoit firewall. I can view log only. I will speak with the manager of the checkpoint ips/firewall regards Stefanet Since this issue was most probably caused by too restrictive ips/firewall settings I'm closing this Bug as NOTABUG. |