When `drill` works but `nc` doesn't

Marko Turk markoml at markoturk.info
Mon Sep 19 16:15:18 UTC 2016 

Hi,

On Mon, Sep 19, 2016 at 11:17:12AM +0200, Niklaas Baudet von Gersdorff wrote:
> Hi,
> 
> Marko Turk [2016-09-18 22:29 +0200] :
> 
> > can you also add something like 'dst host 10.3.4.1' because (if I'm not
> > mistaken) you only capture packets originating from 10.3.4.1 and not the
> > replys.
> 
> You're right, I filtered out the replies. I attached a new
> tcpdump resulting from
> 
>      1    $ sudo tcpdump -nettti lo0 \
>      2      host 10.3.4.1 or host 10.77.4.1 or \
>      3      host fd16:dcc0:f4cc:3::4:1 or host fd16:dcc0:f4cc:77::4:1 or \
>      4      host 10.3.5.3 or host 10.77.5.3 or \
>      5      host fd16:dcc0:f4cc:3::5:3 or host fd16:dcc0:f4cc:77::5:3 and \
>      6      not host 10.77.2.1 and not host 10.3.2.1 and not port 8080 > \
>      7      /tmp/tcpdump-nc2
> 
> Lines 2-5 match anything from the hosts in question (www1 and
> mysql2); line 6 removes packets created by my proxy's health
> checks and my varnish-nginx set-up.
> 
> The packets you can see in "tcpdump-nc2" are (again) created by
> the following command:
> 
>   $ sudo jexec www1 nc -z mysql2.box-hlm-03.klaas 3306
> 
> > > Investigating the dump I came across the following line:
> > > 
> > >   00:00:00.000265 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 17918 unreachable, length 36
> > > [cut]
> > 
> > It seems you're getting the reply from the wrong IP (10.3.3.1). Can you
> > post you unbound config, specifically 'interface:' section?
> 
> As you suspected correctly, the tcpdump reveals the following:
> 
>   1  00:00:00.000000 AF IPv4 (2), length 73: 10.3.4.1.47995 > 10.77.3.1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41)
>   2  00:00:00.000164 AF IPv4 (2), length 226: 10.3.3.1.53 > 10.3.4.1.47995: 13167 1/2/4 A 10.3.5.3 (194)
>   3  00:00:00.000062 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 47995 unreachable, length 36
>   4  00:00:01.031999 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.60810 > fd16:dcc0:f4cc:77::3:1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41)
>   5  00:00:00.000233 AF IPv6 (28), length 246: fd16:dcc0:f4cc:77::3:1.53 > fd16:dcc0:f4cc:77::4:1.60810: 13167 1/2/4 A 10.3.5.3 (194)
> 
> Lines 1-2 show that www1 consults IP 10.77.3.1 (b/c
> /etc/resolv.conf says so) but unbound (listening on both
> 10.{3,77}.3.1) replies on 10.3.3.1. (Not bad that you found that
> out with half of the output missing, by the way!)
> 
> I also attached my unbound.conf. These should be the lines of the
> most interest:
> 
>   interface: 0.0.0.0
>   interface: ::0
> 
>   access-control: 10.0.0.0/8 allow
>   access-control: fd16:dcc0:f4cc::/48 allow
> 
> I checked unbound.conf(5) and stumbled upon the following:
> 
>   interface-automatic: <yes or no>
>     Detect  source  interface  on UDP queries and copy them to
>     replies.  This feature is experimental, and needs support in
>     your OS for particular socket options.  Default value is no.
> 
> Do I need that? Do you know why it works on IPv6 but doesn't on
> IPv4?
> 

I'm not an unbound expert but here's my thinking.

I don't think you need interface-automatic, try first with this: instead
of 'interface: 0.0.0.0', try adding two explicit lines for each IPv4
address, like this:

    interface: 10.3.3.1
    interface: 10.77.3.1

Try this and see if it helps.

-Marko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160919/b5b75280/attachment.sig>

More information about the freebsd-questions mailing list