[Dnsmasq-discuss] dnsmasq to provide public DNS service

Albert ARIBAUD albert.aribaud at free.fr
Sun Jul 10 20:50:03 BST 2016


Hi Tong,

Le Sat, 9 Jul 2016 16:17:45 +0000 (UTC)
T o n g <mlist4suntong at yahoo.com> a écrit:

> $ dig cnn.com
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> cnn.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56353
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1280
> ;; QUESTION SECTION:
> ;cnn.com.                       IN      A
> 
> ;; ANSWER SECTION:
> cnn.com.                65      IN      A       157.166.226.26
> cnn.com.                65      IN      A       157.166.226.25
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jul 09 16:14:34 UTC 2016
> ;; MSG SIZE  rcvd: 68

OK, so dnsmasq is running locally on UDP

> > 3. What does iptables-save display?   
> 
> $ sudo iptables-save
> # Generated by iptables-save v1.6.0 on Sat Jul  9 16:08:46 2016
> *filter
> :INPUT ACCEPT [990:208464]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1019:100580]
> :f2b-sshd - [0:0]
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A f2b-sshd -j RETURN
> COMMIT
> # Completed on Sat Jul  9 16:08:46 2016
> 
> I believe this is the standard setting from fail2ban because I have 
> fail2ban_0.9.3-1 installed (and nothing else related). 

OK, so no blocking at your box level except for what fail2ban may
decide to block. Now we're faily sure your probelm is with either your
ISP or your hosting provider.

Regarding running the DNS on TCP alone: problem is, you might force the
dig command to use TCP, but that's a specific case; all DNS resolutions
happening on your machine in any other process that dug will keep on
trying UDP first when the request size warrants it, because that's the
standard.

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list