NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Resolver problems

At Wed, 2 Dec 2009 21:13:19 +0100, Ingolf Steinbach 
<> wrote:
Subject: Resolver problems
> which configuration settings are necessary to avoid AAAA look-ups in
> general? v6 support has already been removed from my kernel -- no
> interface has a v6 address, but still every application which wants to
> resolve a name first asks for a AAAA record and requests the A record
> only after 15 seconds.

You could recompile the whole system without INET6 support, i.e. with
the following in /etc/mk.conf:

    MKINET6 =   no
    USE_INET6 = no

However as others have said something else must be wrong if the AAAA
lookup doesn't immediately fail.

Indeed your trace shows something quite wrong.

> This is a typical situation:
> 20:53:27.056921 IP > 21446+ AAAA? 
> (35)
> 20:53:27.423053 IP > UDP, length 117

What's in the packet above?  It would appear to be an answer to the
AAAA query right above it, but your tcpdump didn't decode it.

> 20:53:27.423129 IP > ICMP udp port 65266 
> unreachable, length 36

Here it looks like your client rejecting the very same port it sent the
AAAA? query from as unreachable.  It should allow an answer back to that
same port.

Do you have a firewall turned on that's not setting up a connection
state entry for the query and then when the reply arrives it's sending
the port unreachable in response instead of allowing it through?

Or maybe the reply to the AAAA query really is garbled and doesn't look
like a DNS packet just as tcpdump suggests (and it also doesn't come
back with a source port of 53), so the firewall rejects it as invalid.

> 20:53:32.064586 IP > 21446+ AAAA? 
> (35)
> 20:53:32.118456 IP > UDP, length 117
> 20:53:32.118509 IP > ICMP udp port 65266 
> unreachable, length 36

Maybe your firewall doesn't understand the AAAA query as being a valid
DNS query so it fails to set up a flow state entry which would allow the
reply packet through.

> 20:53:42.073605 IP > 21447+ A? 
> (35)
> 20:53:42.075143 IP > 21447- 1/0/0 A 
> (51)
> What's also unclear: what is the reason for the "port ... unreachable"
> ICMP messages?
> is a freshly installed 5.0.1/i386, is a
> (non-NetBSD) router.

Yeah, it probably doesn't understand AAAA DNS queries as valid, and it
sends some garbage error message in reply, i.e. a reply that doesn't
look like a DNS reply, and so your firewall rejects it and forces the
resolver to try again.

Maybe you should run NetBSD on your router too?  :-)

Note that when I do a AAAA query to my caching server (which happens to
be "unbound" running on NetBSD-4), I get an immediate reply (within .001
seconds, if you believe the timestamps) saying that there is no such

# tcpdump -vvv -s 1500 host dns2         
tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 1500 bytes
03:05:27.470777 IP (tos 0x0, ttl  64, id 12738, offset 0, flags [none], length: 
60, bad cksum 0 (->b410)!) > [udp 
sum ok]  8766+ AAAA? (32)
03:05:27.471117 IP (tos 0x0, ttl  64, id 51103, offset 0, flags [none], length: 
110) > [udp sum ok]  8766 q: AAAA? 0/1/0 ns: SOA 
2009102616 14400 7200 604800 14400 (82)

                                                Greg A. Woods
                                                Planix, Inc.

<>       +1 416 218 0099

Attachment: pgpvN38n2uK_W.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index