OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Weird "Host not found" error

From: Travis H. (travis+ml-postfixsubspacefield.org)
Date: Wed Jan 03 2007 - 00:09:32 CST

On Tue, Jan 02, 2007 at 12:38:18PM -0700, Reggie Sniff wrote:
> FYI: I've confirmed that my mail server (with local DNS) cannot contact the
> remote DNS because the command (# telnet remotedns 53) just times out

A couple of things about DNS.

#1) Your test uses TCP. Most DNS queries are done via UDP. However if the
    payload is big enough, or there are enough simultaneous queries, some
    name servers will use TCP. I see this in OpenBSD when you do a
    "netstat -a" and since there's no -n it has to look up a ton of names.

What may be happening is that the people running that name server's firewall
were ignorant of this detail and only opened UDP/53. It happens a lot.

#2) Per RFC, a query to IP address A on UDP/53 may be answered by a UDP
    response from a different IP address B. This is valid per the RFC,
    because a name server may be multihomed, and UDP doesn't always
    have the notion of a connection (some implementations have
    quasi-connections which may keep track of peer and received interface,
    but not all). If you have a stateful firewall between your resolver
    and their name server, then it may not allow the reply back in.
    Fortunately this kind of a name server is rare; I've never had a
    problem with it. If you have a small list of such servers, you might
    do a fixup with address re-writing or a rule allowing those responses
    in without checking state.
--
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)

iQIVAwUBRZtIm2QVZZEDJt9HAQIVCQ/+In2T2frGXfUegc5GB3aUaiW0pO019HYK
/4xft5FPfpT9rBm9rK7xGpjYqHntltpiuH90EUeT+zAGZOfHbhtEtcMzwqaX+YS0
IzrtTQllpFHgBP0ElxfD5eQSDa7TsMhWkmOzC3hyfZ2uaVqCGFTTvWP7NXDR8ATi
XaG2S/VUKaWTugIPD7BBPBUHmde6Gg2dghPnzELFjSEUrh0g2fDHeJqrTzof9X7I
Vss4zEi7ziizU4EMMsSGHo0oj2eR7qkukwKDpKh0wA4AfPzyHSghYwEIQ78omxRZ
jiLC7ERvZZ3mGuieRmE0fk3qpTiSuH+Th2iysIob9kH0DK3cIp4+Ul6ksrrPhGv/
9BrEh6Xezi9XPqduF17nRAAKJe/FTT4vSAac0JWgUdZ/8WWUCLk6GTxmac+6NsYF
TZqffkIElg0xMB2PeBShUw6jvRxna08LYTVC+asRZvzRTheqCbSsjc8jS+1G/G52
os6zwVU9sJ+iH3mBkFkVlMvbXwVgcCSB5G3yYdxbcuK9QrYZsXKeUDGMUsAsiykm
MuZim8o/WNAHGmKg3GhFkcQa4ptBEhtPjDQwxtnx3SDIxG/MktPzlH12Vm+OcBZ6
xmcyxIyBtTjzcWDKGTNHh35Or+oKdpIpKbx/tEefwVTb3cN0F25XctGzswSe4YdV
PKFbcRH4zgo=
=hs0f
-----END PGP SIGNATURE-----