Description of problem: when i run dig command, eg dig www.google.com, I receive the follow error message ; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> www.google.com ;; global options: +cmd ;; connection timed out; no servers could be reached Version-Release number of selected component (if applicable): bind-utils-9.9.2-7.P2.fc17.x86_64 How reproducible: Always and with all queries. My pc is behind checkpoint firewall/ips. The checkpoint shows me the ips logs whith the follow messages: BAD DNS HEADER Steps to Reproduce: 1. install bind-utils 2. run dig command with any domain behind ips/firewall Actual results: ; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> www.google.com ;; global options: +cmd ;; connection timed out; no servers could be reached Expected results: ; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> www.google.it @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40807 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.it. IN A ;; ANSWER SECTION: www.google.it. 164 IN A 173.194.40.95 www.google.it. 164 IN A 173.194.40.87 www.google.it. 164 IN A 173.194.40.88 ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 17 17:04:19 2013 ;; MSG SIZE rcvd: 90 Additional info: nslookup works fine. I configured a local dns as forwarder with same DNS in resolv.conf and i run dig www.gogole.com @localhost it works fine On different distro it works fine
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Hi. Please attach network communication dump containing DNS Query packets: 1. when using dig without local recursive DNS server - dig failing 2. when using dig with local recursive DNS server - dig NOT failing I need to analyse packets sent by dig (failing) and by recursive local DNS server (working). Without it there is not much information I can use from your Bug report. There is also possibility that you have some wrong rule(s) in your firewall. Thanks!
Created attachment 741391 [details] Failed dig tcpdump -nv host 172.21.255.22 and udp port 53 or tcp port 53 -w dig-fail.pcap show failed query
Created attachment 741403 [details] Ok dig Ok dig tcpdump -nv host <ip> and udp port 53 or tcp port 53 -w dig-ok.pcap show local dns query with forwanding to <ip>
Thank you for those communication dumps. The difference seems to be that dig sets AD (authentic data) bit when sending a DNS Query out. Can you please try: # dig www.google.com +noadflag If it works I assume you will have to change your firewall settings so it doesn't drop outgoing DNS Queries with AD bit set.
Also if you would be interested in what AD bit means in DNS Query, you can find more information in RFC 6840 [1]. [1] http://tools.ietf.org/html/rfc6840#section-5.7
@Tomas Hozza Hi, I tried to run # dig www.google.com +noadflag and it works. I tried to stop my firewall # service iptables stop # service ip6tables stop selinux is disabled and # dig www.google.com it doesn't works. Regards Stefanet
Thank you for testing. (In reply to comment #7) > I tried to run > > # dig www.google.com +noadflag > > and it works. > > I tried to stop my firewall > > # service iptables stop > # service ip6tables stop I thought the "checkpoint firewall/ips" you've mentioned in the Bug description. I assume your host firewall should be fine. From Bug description it looks like the IPS is blocking DNS Queries with AD flag set. Can you please check the ckeckpoint (IPS) configuration? Thanks!
Ok... I cannot test checkpoit firewall. I can view log only. I will speak with the manager of the checkpoint ips/firewall regards Stefanet
Since this issue was most probably caused by too restrictive ips/firewall settings I'm closing this Bug as NOTABUG.