Query on port 53 doesn't work

Holger_Zuleger · August 6, 2014, 9:24pm

Hi,

I have a somewhat strange problem running unbound and BIND together on one Linux box (2.6.32).

BIND is listening only on the primary IP address (IPv4 and IPv6) while unbound is configured to listen on the loopack interface (127.0.0.1 and ::1) and the secondary ipv4 and ipv6 addresses.

As usual both nameserver software is using port 53 for this kind of service.
I stopped the firewall at the time running the test, to made sure that the traffic is not blocked anywhere.
Unbound is configured with query logging to get some feedback if a query is handled by the software or not.
As I'm not willing to run an open resolver, queries are restricted to localhost and some subnets via the access-control directive.

For testing purposes I also added port 553 as listening port, so the related unbound config is like this (port 443 is filtered out):

# grep " interface:" unbound.conf | grep -v 443
  interface: 127.0.0.1
  interface: ::1
  interface: 88.198.13.180@553
  interface: 88.198.13.180@53
  interface: 2a01:4f8:130:1261::180@553
  interface: 2a01:4f8:130:1261::180@53

This (plus the running BIND authoritative server) results in a list of listening udp ports (output compressed, so that it fits in a line):

# netstat -p -anu | grep 53 | cut -c1-5,21-55,80-
udp 88.198.13.180:553 0.0.0.0:* 10515/unbound
udp 88.198.13.180:53 0.0.0.0:* 10515/unbound
udp 127.0.0.1:53 0.0.0.0:* 10515/unbound
udp 88.198.13.165:53 0.0.0.0:* 10551/named
udp6 2a01:4f8:130:1261:::553 :::* 10515/unbound
udp6 2a01:4f8:130:1261::1:53 :::* 10515/unbound
udp6 ::1:53 :::* 10515/unbound
udp6 2a01:4f8:130:1261::2:53 :::* 10551/named

netstat cuts off parts of the ip address so in the third last line the host id is not ::1 but ::180.

Now sending a query from a host which subnet is allowed in the access-control directive:
$ dig -p 53 www.google.com @88.198.13.180

; <<>> DiG 9.10.1b1 <<>> -p 53 www.google.com @88.198.13.180
;; global options: +cmd
;; connection timed out; no servers could be reached

At the same time I sniffed on the dns server side, and got the incoming query, but no response. Also nothing seen in the querylog of unbound.

Now I tried the same with port 553 and this works:

$ dig -p 553 www.google.com @88.198.13.180

; <<>> DiG 9.10.1b1 <<>> -p 553 www.google.com @88.198.13.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7336
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 124 IN A 173.194.116.148
www.google.com. 124 IN A 173.194.116.147
www.google.com. 124 IN A 173.194.116.144
www.google.com. 124 IN A 173.194.116.146
www.google.com. 124 IN A 173.194.116.145

;; Query time: 79 msec
;; SERVER: 88.198.13.180#553(88.198.13.180)
;; WHEN: Wed Aug 06 19:28:44 CEST 2014
;; MSG SIZE rcvd: 123

I also got a message in the query log and saw the incoming and outgoing packets in the trace.
The same is true if I use IPv6 as transport protocol (port 53 is not working while 553 is).

Has anybody an idea why port 53 is not working?

To be a bit more confused, I tried the same dig command on the server itself.
Now IPv4 is working (port 53 and 553) but IPv6 is still working only on port 553 but not on port 53!

# dig -p 53 www.google.com @88.198.13.180

; <<>> DiG 9.7.0-P1 <<>> -p 53 www.google.com @88.198.13.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29523
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 298 IN A 173.194.116.148
www.google.com. 298 IN A 173.194.116.145
www.google.com. 298 IN A 173.194.116.146
www.google.com. 298 IN A 173.194.116.144
www.google.com. 298 IN A 173.194.116.147

;; Query time: 0 msec
;; SERVER: 88.198.13.180#53(88.198.13.180)
;; WHEN: Wed Aug 6 19:34:01 2014
;; MSG SIZE rcvd: 123

# dig -p 53 www.google.com @2a01:4f8:130:1261::180
; <<>> DiG 9.7.0-P1 <<>> -p 53 www.google.com @2a01:4f8:130:1261::180
;; global options: +cmd
;; connection timed out; no servers could be reached

Thanks for any idea/suggestion how to go further.
Holger

staticsafe · August 6, 2014, 11:14pm

You do say that you disabled the firewall.

But to make sure, can you please provide the output of `iptables-save`
and `ip6tables-save` before you ran the tests?

Holger_Zuleger · August 7, 2014, 5:47am

I stopped the firewall at the time running the test, to made sure that

You do say that you disabled the firewall.

But to make sure, can you please provide the output of `iptables-save`
and `ip6tables-save` before you ran the tests?

Yes of course:

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# iptables-save
# Generated by iptables-save v1.4.4 on Thu Aug 7 07:45:43 2014
*filter
:INPUT ACCEPT [851699:114012677]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [868310:214469760]
COMMIT
# Completed on Thu Aug 7 07:45:43 2014

# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# ip6tables-save
# Generated by ip6tables-save v1.4.4 on Thu Aug 7 07:46:40 2014
*filter
:INPUT ACCEPT [58485:33943167]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40418:16372834]
COMMIT
# Completed on Thu Aug 7 07:46:40 2014

Thanks