[Dnsmasq-discuss] dns query from localnetwork are blocked

Sat Jan 3 10:32:35 GMT 2015

On 2015-01-03 00:51, T o n g wrote:
> On Fri, 02 Jan 2015 08:21:38 +0100, 
> samuel.lethiec-YHh4hrT2YEVlDBTeMj46bQ
> wrote:
> 
>>> $ iptables-save | wc
>>>       0       0       0
>> 
>> Could you run the same command with sudo?
> 
> Both the commands were actually executed as root. I can confirm that 
> the
> firewall ruleset is indeed empty.
> 
>> This looks fine and if your firewall ruleset is indeed empty, you'd 
>> need
>> to sniff network(e.g. with tcpdump) on the server to see whether dns
>> requests really reach it or not.
> 
> To my surprise, the dns requests actually reached my dns server:
> 
> ~~~
> tcpdumpdns=/tmp/tcpdumps
> 
> % tcpdump -vvv -s 0 -l -n port 53 | tee $tcpdumpdns
> 18:31:59.062946 IP (tos 0x0, ttl 64, id 57256, offset 0, flags [none],
> proto UDP (17), length 65)
>     192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] 
> A?
> yahoo.ca. ar: . OPT UDPsize=4096 (37)
> 18:32:04.062274 IP (tos 0x0, ttl 64, id 58383, offset 0, flags [none],
> proto UDP (17), length 65)
>     192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] 
> A?
> yahoo.ca. ar: . OPT UDPsize=4096 (37)
> 18:32:09.061794 IP (tos 0x0, ttl 64, id 59496, offset 0, flags [none],
> proto UDP (17), length 65)
>     192.168.2.102.33608 > 192.168.2.100.53: [udp sum ok] 13285+ [1au] 
> A?
> yahoo.ca. ar: . OPT UDPsize=4096 (37)
> ~~~
> 
> Meanwhile, this is what I got from the client side:
> 
> ~~~
> $ dig @192.168.2.100 yahoo.ca
> 
> ; <<>> DiG 9.9.5-4.3-Ubuntu <<>> @192.168.2.100 yahoo.ca
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> ~~~
> 
> Does the tcpdump only catch the incoming requests but not out-going
> responses?
> 

It captures both but. You don't have any funky routing on the server 
right?

Honestly, I can't be of much more help here, I have no idea.

Also I don't think you have shown the whole dnsmasq config(without the 
comments).

And last, but not least, this thread is actually hard to follow since 
you delete parts of the conversation, and it's hard to remember every 
single details of what was previously said.

Cheers,

> This is Ubuntu 14.10. Both client and server.
> 
> Just to make it a full story, the firewall ruleset on the client side 
> is
> not empty. But I doubt that it has anything to do with it, because as
> soon as I reboot the DNS server back into Ubuntu 13.10, everything 
> will
> be fine:
> 
> ~~~
> # Generated by iptables-save v1.4.21 on Fri Jan  2 18:28:31 2015
> *nat
> :PREROUTING ACCEPT [2:105]
> :INPUT ACCEPT [2:105]
> :OUTPUT ACCEPT [111:7116]
> :POSTROUTING ACCEPT [111:7116]
> :DOCKER - [0:0]
> -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
> -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
> -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
> COMMIT
> # Completed on Fri Jan  2 18:28:31 2015
> # Generated by iptables-save v1.4.21 on Fri Jan  2 18:28:31 2015
> *filter
> :INPUT ACCEPT [249:15396]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [360:22958]
> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT
> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> -A FORWARD -i docker0 -o docker0 -j ACCEPT
> COMMIT
> # Completed on Fri Jan  2 18:28:31 2015
> ~~~
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss