When `drill` works but `nc` doesn't

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Mon Sep 19 09:17:18 UTC 2016 

Hi,

Marko Turk [2016-09-18 22:29 +0200] :

> can you also add something like 'dst host 10.3.4.1' because (if I'm not
> mistaken) you only capture packets originating from 10.3.4.1 and not the
> replys.

You're right, I filtered out the replies. I attached a new
tcpdump resulting from

     1    $ sudo tcpdump -nettti lo0 \
     2      host 10.3.4.1 or host 10.77.4.1 or \
     3      host fd16:dcc0:f4cc:3::4:1 or host fd16:dcc0:f4cc:77::4:1 or \
     4      host 10.3.5.3 or host 10.77.5.3 or \
     5      host fd16:dcc0:f4cc:3::5:3 or host fd16:dcc0:f4cc:77::5:3 and \
     6      not host 10.77.2.1 and not host 10.3.2.1 and not port 8080 > \
     7      /tmp/tcpdump-nc2

Lines 2-5 match anything from the hosts in question (www1 and
mysql2); line 6 removes packets created by my proxy's health
checks and my varnish-nginx set-up.

The packets you can see in "tcpdump-nc2" are (again) created by
the following command:

  $ sudo jexec www1 nc -z mysql2.box-hlm-03.klaas 3306

> > Investigating the dump I came across the following line:
> > 
> >   00:00:00.000265 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 17918 unreachable, length 36
> > [cut]
> 
> It seems you're getting the reply from the wrong IP (10.3.3.1). Can you
> post you unbound config, specifically 'interface:' section?

As you suspected correctly, the tcpdump reveals the following:

  1  00:00:00.000000 AF IPv4 (2), length 73: 10.3.4.1.47995 > 10.77.3.1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41)
  2  00:00:00.000164 AF IPv4 (2), length 226: 10.3.3.1.53 > 10.3.4.1.47995: 13167 1/2/4 A 10.3.5.3 (194)
  3  00:00:00.000062 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 47995 unreachable, length 36
  4  00:00:01.031999 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.60810 > fd16:dcc0:f4cc:77::3:1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41)
  5  00:00:00.000233 AF IPv6 (28), length 246: fd16:dcc0:f4cc:77::3:1.53 > fd16:dcc0:f4cc:77::4:1.60810: 13167 1/2/4 A 10.3.5.3 (194)

Lines 1-2 show that www1 consults IP 10.77.3.1 (b/c
/etc/resolv.conf says so) but unbound (listening on both
10.{3,77}.3.1) replies on 10.3.3.1. (Not bad that you found that
out with half of the output missing, by the way!)

I also attached my unbound.conf. These should be the lines of the
most interest:

  interface: 0.0.0.0
  interface: ::0

  access-control: 10.0.0.0/8 allow
  access-control: fd16:dcc0:f4cc::/48 allow

I checked unbound.conf(5) and stumbled upon the following:

  interface-automatic: <yes or no>
    Detect  source  interface  on UDP queries and copy them to
    replies.  This feature is experimental, and needs support in
    your OS for particular socket options.  Default value is no.

Do I need that? Do you know why it works on IPv6 but doesn't on
IPv4?

Thank you very much for your help!

    Niklaas
-------------- next part --------------
00:00:00.000000 AF IPv4 (2), length 73: 10.3.4.1.47995 > 10.77.3.1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41)
00:00:00.000164 AF IPv4 (2), length 226: 10.3.3.1.53 > 10.3.4.1.47995: 13167 1/2/4 A 10.3.5.3 (194)
00:00:00.000062 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 47995 unreachable, length 36
00:00:01.031999 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.60810 > fd16:dcc0:f4cc:77::3:1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41)
00:00:00.000233 AF IPv6 (28), length 246: fd16:dcc0:f4cc:77::3:1.53 > fd16:dcc0:f4cc:77::4:1.60810: 13167 1/2/4 A 10.3.5.3 (194)
00:00:00.000211 AF IPv4 (2), length 73: 10.3.4.1.58499 > 10.77.3.1.53: 56993+ AAAA? mysql2.box-hlm-03.klaas. (41)
00:00:00.000122 AF IPv4 (2), length 238: 10.3.3.1.53 > 10.3.4.1.58499: 56993 1/2/4 AAAA fd16:dcc0:f4cc:3::5:3 (206)
00:00:00.000055 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 58499 unreachable, length 36
00:00:01.020438 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.61340 > fd16:dcc0:f4cc:77::3:1.53: 56993+ AAAA? mysql2.box-hlm-03.klaas. (41)
00:00:00.000211 AF IPv6 (28), length 258: fd16:dcc0:f4cc:77::3:1.53 > fd16:dcc0:f4cc:77::4:1.61340: 56993 1/2/4 AAAA fd16:dcc0:f4cc:3::5:3 (206)
00:00:00.000281 AF IPv4 (2), length 64: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [S], seq 1484750364, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 1611172442 ecr 0], length 0
00:00:00.000089 AF IPv4 (2), length 64: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [S.], seq 2014966415, ack 1484750365, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 2427400641 ecr 1611172442], length 0
00:00:00.000054 AF IPv4 (2), length 56: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [.], ack 1, win 1275, options [nop,nop,TS val 1611172442 ecr 2427400641], length 0
00:00:00.000378 AF IPv4 (2), length 162: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [P.], seq 1:107, ack 1, win 1275, options [nop,nop,TS val 2427400642 ecr 1611172442], length 106
00:00:00.000041 AF IPv4 (2), length 56: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [F.], seq 107, ack 1, win 1275, options [nop,nop,TS val 2427400642 ecr 1611172442], length 0
00:00:00.000049 AF IPv4 (2), length 56: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [.], ack 108, win 1274, options [nop,nop,TS val 1611172443 ecr 2427400642], length 0
00:00:00.000454 AF IPv4 (2), length 56: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [F.], seq 1, ack 108, win 1275, options [nop,nop,TS val 1611172443 ecr 2427400642], length 0
00:00:00.000040 AF IPv4 (2), length 56: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [.], ack 2, win 1275, options [nop,nop,TS val 2427400642 ecr 1611172443], length 0

-------------- next part --------------
server:
    verbosity: 1
#   logfile: unbound.log

    interface: 0.0.0.0
    interface: ::0

    access-control: 10.0.0.0/8 allow
    access-control: fd16:dcc0:f4cc::/48 allow

    domain-insecure: "klaas."
    domain-insecure: "10.in-addr.arpa."
    domain-insecure: "d.f.ip6.arpa."

    local-zone: "10.in-addr.arpa." nodefault
    local-zone: "d.f.ip6.arpa." nodefault

    # Because of hairpin NAT
    local-zone: "niklaas.eu." typetransparent
    local-data: "pkg.niklaas.eu.    IN A      10.3.4.1"
    local-data: "pkg.niklaas.eu.    IN AAAA   fd16:dcc0:f4cc:3::4:1"
    local-data: "mail.niklaas.eu.   IN A      10.77.2.1"
    local-data: "mail.niklaas.eu.   IN AAAA   fd16:dcc0:f4cc:77::2:1"

    local-zone: "financecomm.com." typetransparent
    local-data: "pkg.financecomm.com.   IN AAAA   2a01:4f8:121:52ad::2:5"


python:

remote-control:

stub-zone:
    name: "klaas."
    stub-addr: 10.1.3.2
    stub-addr: 10.3.3.2

stub-zone:
    name: "10.in-addr.arpa."
    stub-addr: 10.1.3.2
    stub-addr: 10.3.3.2

stub-zone:
    name: "c.c.4.f.0.c.c.d.6.1.d.f.ip6.arpa."
    stub-addr: 10.1.3.2
    stub-addr: 10.3.3.2

forward-zone:
    name: "."
    forward-addr: 198.101.242.72              # Alternate DNS
    forward-addr: 208.67.222.222              # OpenDNS
    forward-addr: 208.67.220.220              # OpenDNS
    forward-addr: 2620:0:ccc::2               # OpenDNS
    forward-addr: 2620:0:ccd::2               # OpenDNS
    forward-addr: 84.200.69.80                # DNS.Watch
    forward-addr: 84.200.70.40                # DNS.Watch
    forward-addr: 2001:1608:10:25::1c04:b12f  # DNS.Watch
    forward-addr: 2001:1608:10:25::9249:d69b  # DNS.Watch
        # search "public dns servers" on duckduckgo.com for more

# vim:set ft=conf:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160919/34f97568/attachment.sig>

More information about the freebsd-questions mailing list