[Dnsmasq-discuss] dns query from localnetwork are blocked

T o n g mlist4suntong at yahoo.com
Fri Jan 2 23:51:10 GMT 2015 

On Fri, 02 Jan 2015 08:21:38 +0100, samuel.lethiec-YHh4hrT2YEVlDBTeMj46bQ
wrote:

>> $ iptables-save | wc
>>       0       0       0
> 
> Could you run the same command with sudo?

Both the commands were actually executed as root. I can confirm that the 
firewall ruleset is indeed empty.

> This looks fine and if your firewall ruleset is indeed empty, you'd need
> to sniff network(e.g. with tcpdump) on the server to see whether dns
> requests really reach it or not.

To my surprise, the dns requests actually reached my dns server:

~~~
tcpdumpdns=/tmp/tcpdumps

% tcpdump -vvv -s 0 -l -n port 53 | tee $tcpdumpdns
18:31:59.062946 IP (tos 0x0, ttl 64, id 57256, offset 0, flags [none], 
proto UDP (17), length 65)
    192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] A? 
yahoo.ca. ar: . OPT UDPsize=4096 (37)
18:32:04.062274 IP (tos 0x0, ttl 64, id 58383, offset 0, flags [none], 
proto UDP (17), length 65)
    192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] A? 
yahoo.ca. ar: . OPT UDPsize=4096 (37)
18:32:09.061794 IP (tos 0x0, ttl 64, id 59496, offset 0, flags [none], 
proto UDP (17), length 65)
    192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] A? 
yahoo.ca. ar: . OPT UDPsize=4096 (37)
~~~

Meanwhile, this is what I got from the client side:

~~~
$ dig @192.168.2.100 yahoo.ca

; <<>> DiG 9.9.5-4.3-Ubuntu <<>> @192.168.2.100 yahoo.ca
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
~~~

Does the tcpdump only catch the incoming requests but not out-going 
responses? 

This is Ubuntu 14.10. Both client and server. 

Just to make it a full story, the firewall ruleset on the client side is 
not empty. But I doubt that it has anything to do with it, because as 
soon as I reboot the DNS server back into Ubuntu 13.10, everything will 
be fine: 

~~~
# Generated by iptables-save v1.4.21 on Fri Jan  2 18:28:31 2015
*nat
:PREROUTING ACCEPT [2:105]
:INPUT ACCEPT [2:105]
:OUTPUT ACCEPT [111:7116]
:POSTROUTING ACCEPT [111:7116]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Fri Jan  2 18:28:31 2015
# Generated by iptables-save v1.4.21 on Fri Jan  2 18:28:31 2015
*filter
:INPUT ACCEPT [249:15396]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [360:22958]
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
# Completed on Fri Jan  2 18:28:31 2015
~~~

More information about the Dnsmasq-discuss mailing list