[Dnsmasq-discuss] dns query from localnetwork are blocked
T o n g
mlist4suntong at yahoo.com
Fri Jan 2 23:51:10 GMT 2015
On Fri, 02 Jan 2015 08:21:38 +0100, samuel.lethiec-YHh4hrT2YEVlDBTeMj46bQ
wrote:
>> $ iptables-save | wc
>> 0 0 0
>
> Could you run the same command with sudo?
Both the commands were actually executed as root. I can confirm that the
firewall ruleset is indeed empty.
> This looks fine and if your firewall ruleset is indeed empty, you'd need
> to sniff network(e.g. with tcpdump) on the server to see whether dns
> requests really reach it or not.
To my surprise, the dns requests actually reached my dns server:
~~~
tcpdumpdns=/tmp/tcpdumps
% tcpdump -vvv -s 0 -l -n port 53 | tee $tcpdumpdns
18:31:59.062946 IP (tos 0x0, ttl 64, id 57256, offset 0, flags [none],
proto UDP (17), length 65)
192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] A?
yahoo.ca. ar: . OPT UDPsize=4096 (37)
18:32:04.062274 IP (tos 0x0, ttl 64, id 58383, offset 0, flags [none],
proto UDP (17), length 65)
192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] A?
yahoo.ca. ar: . OPT UDPsize=4096 (37)
18:32:09.061794 IP (tos 0x0, ttl 64, id 59496, offset 0, flags [none],
proto UDP (17), length 65)
192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] A?
yahoo.ca. ar: . OPT UDPsize=4096 (37)
~~~
Meanwhile, this is what I got from the client side:
~~~
$ dig @192.168.2.100 yahoo.ca
; <<>> DiG 9.9.5-4.3-Ubuntu <<>> @192.168.2.100 yahoo.ca
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
~~~
Does the tcpdump only catch the incoming requests but not out-going
responses?
This is Ubuntu 14.10. Both client and server.
Just to make it a full story, the firewall ruleset on the client side is
not empty. But I doubt that it has anything to do with it, because as
soon as I reboot the DNS server back into Ubuntu 13.10, everything will
be fine:
~~~
# Generated by iptables-save v1.4.21 on Fri Jan 2 18:28:31 2015
*nat
:PREROUTING ACCEPT [2:105]
:INPUT ACCEPT [2:105]
:OUTPUT ACCEPT [111:7116]
:POSTROUTING ACCEPT [111:7116]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 2 18:28:31 2015
# Generated by iptables-save v1.4.21 on Fri Jan 2 18:28:31 2015
*filter
:INPUT ACCEPT [249:15396]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [360:22958]
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
# Completed on Fri Jan 2 18:28:31 2015
~~~
More information about the Dnsmasq-discuss
mailing list