DNS with host works, but not with mysql or ping

Jon Radel jon at radel.com
Mon Feb 29 19:28:23 UTC 2016 

On 2/29/16 1:10 PM, Sergei G wrote:
> It appears that host is suffering from the same problem:
>
> host yahoo.com
> yahoo.com has address 206.190.36.45
> yahoo.com has address 98.138.253.109
> yahoo.com has address 98.139.183.24
> yahoo.com has IPv6 address 2001:4998:44:204::a7
> yahoo.com has IPv6 address 2001:4998:58:c02::a9
> yahoo.com has IPv6 address 2001:4998:c:a06::2:4008
> yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
> yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
> yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
>
>
> fetch  http://206.190.36.45  (yahoo)
> times out
Well, actually that's a different problem as that's not using the FQDN.
>
> On Mon, Feb 29, 2016 at 9:57 AM, Sergei G <sergeig.public at gmail.com> wrote:
>
>> If I use host command to resolve name to IP, then I get a correct IP.
>>
>> If I use ping, mysql, fetch commands, then DNS fails to resolve.  I can't
>> quite figure out what the difference is.
DNS fails to resolve or the connection times out?  I suspect the latter.
>> block drop in log on bce0 all
>> ...
>> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 port =
>> domain keep state
>> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10
>> port = domain keep state
>> ...
>> pass out quick on bce0 inet proto udp from any to any port = domain keep
>> state
>> ...
I didn't analyze line-by-line in excruciating detail, but....   I rather 
suspect that the lack of a line that allows for outbound HTTP traffic 
that sets up state for the return packets means that all the HTTP return 
packets get zapped by your default drop.  DNS works so much better as 
you have a "pass out quick" for DNS that keeps state.  Since you log all 
that blockage, how about looking in your logs???????

BTW, given that your DNS pass statements are setup to allow only UDP, 
DNS is still broken, but only in an intermittent fashion that will 
eventually drive you insane.  You might want to fix that too.

--Jon Radel
jon at radel.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160229/7ddf1ebd/attachment.bin>

More information about the freebsd-questions mailing list