DNS dig +tcp OK, udp NO

2

my topology: NAT->NetGear router (192.168.1.1 + wired machines) -> TP-Link (192.168.0.1 [in NetGear LAN 192.168.1.2] with some machines wireless and some wired).

my problem is I can't get response from DNS, from Ubuntu 12.10 machine in TP-Link LAN:

dig @8.8.8.8 wp.pl

; <<>> DiG 9.9.2-P2 <<>> @8.8.8.8 wp.pl
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

however it works with +tcp option:

dig @8.8.8.8 wp.pl +tcp

; <<>> DiG 9.9.2-P2 <<>> @8.8.8.8 wp.pl +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64773
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wp.pl.             IN  A

;; ANSWER SECTION:
wp.pl.          1951    IN  A   212.77.100.101

;; Query time: 35 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May  5 20:27:42 2013
;; MSG SIZE  rcvd: 50

my configuration is:

nm-tool | tail -n 8 Address: 192.168.0.100 Prefix: 24 (255.255.255.0) Gateway: 192.168.0.1

DNS:             8.8.8.8
DNS:             62.179.1.60

question: is this related to udp traffic not allowed through one of routers? I disabled firewalls, made TP-Link DMZ in NetGear and my machine DMZ in TP-Link, so all security down, still +tcp works, but no way without it. So how am I able to search web? Tcp is a backdoor that browser uses? But I have sendmail and need to resolve domains.

now I set TP-Link primary DNS as 192.168.0.1 and Secondary to 192.168.1.1 and dig google.com goes well, while +tcp gives:

nm-tool | tail -n 8
    Address:         192.168.0.100
    Prefix:          24 (255.255.255.0)
    Gateway:         192.168.0.1

    DNS:             192.168.0.1
    DNS:             192.168.1.1


dig google.com +tcp
;; Connection to 192.168.0.1#53(192.168.0.1) for google.com failed: connection refused.
;; Connection to 192.168.1.1#53(192.168.1.1) for google.com failed: connection refused.

; <<>> DiG 9.9.2-P2 <<>> google.com +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30305
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.            IN  A

;; Query time: 2 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun May  5 21:21:28 2013
;; MSG SIZE  rcvd: 28

dig @192.168.1.1 wp.pl

; <<>> DiG 9.9.2-P2 <<>> @192.168.1.1 wp.pl
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
root@mycomp:# dig @192.168.0.1 wp.pl

; <<>> DiG 9.9.2-P2 <<>> @192.168.0.1 wp.pl
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig alone:

dig wp.pl

; <<>> DiG 9.9.2-P2 <<>> wp.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29863
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wp.pl.             IN  A

;; ANSWER SECTION:
wp.pl.          2308    IN  A   212.77.100.101

;; Query time: 3 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun May  5 21:48:12 2013
;; MSG SIZE  rcvd: 50

UPDATE: here I did dig cf16.eu and in terminal response was noted as from 127.0.1.1

sudo tcpdump udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:03:11.451045 IP ubuntuamd.local.33228 > 192.168.1.1.domain: 37219+ [1au] A? cf16.eu. (36)
01:03:11.452092 IP ubuntuamd.local.43741 > 192.168.1.1.domain: 33781+ PTR? 1.1.168.192.in-addr.arpa. (42)
01:03:11.490142 IP 192.168.1.1.domain > ubuntuamd.local.33228: 37219 1/0/1 A 89.75.41.50 (52)
01:03:11.491794 IP 192.168.1.1.domain > ubuntuamd.local.43741: 33781 NXDomain 0/0/0 (42)
01:03:11.592530 IP6 fe80::d63d:7eff:fe4b:47dc.mdns > ff02::fb.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)
01:03:11.592582 IP ubuntuamd.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 1.1.168.192.in-addr.arpa. (42)

here I did dig @192.168.1.1 cf16.eu and in terminal there was no response:

01:03:19.834587 IP ubuntuamd.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
01:03:20.287162 IP ubuntuamd.local.50346 > 192.168.1.1.domain: 44668+ [1au] A? cf16.eu. (36)
01:03:21.734093 IP ubuntuamd.local.56600 > 192.168.1.1.domain: 1574+ PTR? 255.1.168.192.in-addr.arpa. (44)
01:03:21.768017 IP 192.168.1.1.domain > ubuntuamd.local.56600: 1574 NXDomain 0/0/0 (44)
01:03:21.868586 IP6 fe80::d63d:7eff:fe4b:47dc.mdns > ff02::fb.mdns: 0 PTR (QM)? 255.1.168.192.in-addr.arpa. (44)
01:03:21.868662 IP ubuntuamd.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 255.1.168.192.in-addr.arpa. (44)
01:03:22.870220 IP6 fe80::d63d:7eff:fe4b:47dc.mdns > ff02::fb.mdns: 0 PTR (QM)? 255.1.168.192.in-addr.arpa. (44)
01:03:22.870299 IP ubuntuamd.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 255.1.168.192.in-addr.arpa. (44)
01:03:24.871850 IP6 fe80::d63d:7eff:fe4b:47dc.mdns > ff02::fb.mdns: 0 PTR (QM)? 255.1.168.192.in-addr.arpa. (44)
01:03:24.871930 IP ubuntuamd.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 255.1.168.192.in-addr.arpa. (44)
01:03:25.292325 IP ubuntuamd.local.50346 > 192.168.1.1.domain: 44668+ [1au] A? cf16.eu. (36)
01:03:30.292679 IP ubuntuamd.local.50346 > 192.168.1.1.domain: 44668+ [1au] A? cf16.eu. (36)


tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      18134/sendmail: MTA
tcp        0      0 192.168.1.3:25          0.0.0.0:*               LISTEN      18134/sendmail: MTA
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1337/mysqld     
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      18134/sendmail: MTA
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1456/dnsmasq    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1131/sshd       
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      992/cupsd       
tcp        0      0 192.168.1.3:53096       173.194.70.102:80       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:56894       208.117.224.54:443      ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:39479       212.58.244.130:80       ESTABLISHED 2534/chrome     
tcp        0      0 127.0.0.1:3306          127.0.0.1:34975         ESTABLISHED 1337/mysqld     
tcp        0      0 127.0.0.1:3306          127.0.0.1:35189         ESTABLISHED 1337/mysqld     
tcp        0      0 192.168.1.3:45269       208.117.224.114:443     ESTABLISHED 2534/chrome     
tcp        1      0 192.168.1.3:41464       91.189.94.25:80         CLOSE_WAIT  2520/ubuntu-geoip-p
tcp        0      0 192.168.1.3:42429       46.28.246.119:443       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:55689       92.122.210.38:80        TIME_WAIT   -               
tcp        0      0 127.0.0.1:3306          127.0.0.1:35191         ESTABLISHED 1337/mysqld     
tcp        0      0 127.0.0.1:3306          127.0.0.1:34978         ESTABLISHED 1337/mysqld     
tcp        0      0 192.168.1.3:57867       173.194.70.154:443      ESTABLISHED 2534/chrome     
tcp        0      0 127.0.0.1:3306          127.0.0.1:34977         ESTABLISHED 1337/mysqld     
tcp        0      0 192.168.1.3:33444       198.252.206.25:80       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:55585       173.194.70.19:443       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:37296       217.119.79.24:443       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:60732       198.252.206.25:80       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:38625       192.168.0.101:445       ESTABLISHED -               
tcp        0      0 127.0.0.1:3306          127.0.0.1:35188         ESTABLISHED 1337/mysqld     
tcp        0      0 127.0.0.1:3306          127.0.0.1:34976         ESTABLISHED 1337/mysqld     
tcp        0      0 127.0.0.1:3306          127.0.0.1:35190         ESTABLISHED 1337/mysqld     
tcp        0      0 192.168.1.3:55687       92.122.210.38:80        ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:60704       198.252.206.25:80       ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:36650       74.125.136.125:5222     ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:60176       23.61.248.91:80         ESTABLISHED 2534/chrome     
tcp        0      0 192.168.1.3:58835       91.189.89.114:443       ESTABLISHED 2755/python     
tcp        0      0 192.168.1.3:55688       92.122.210.38:80        TIME_WAIT   -

tcpdump:

sudo tcpdump -nv src 192.168.1.1 and udp port 67 and udp port 68
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:22:50.106632 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
    192.168.1.1.67 > 192.168.1.3.68: BOOTP/DHCP, Reply, length 548, xid 0x3f6fa026, Flags [none]
      Your-IP 192.168.1.3
      Client-Ethernet-Address d4:3d:7e:4b:47:dc
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Server-ID Option 54, length 4: 192.168.1.1
        Lease-Time Option 51, length 4: 86400
        Subnet-Mask Option 1, length 4: 255.255.255.0
        Default-Gateway Option 3, length 4: 192.168.1.1
        Domain-Name-Server Option 6, length 4: 192.168.1.1
        Domain-Name Option 15, length 9: "chello.pl"

4pie0

Posted 2013-05-05T18:49:18.070

Reputation: 353

Does one of the following work? dig @192.168.1.1 wp.pl dig @92.168.0.1 wp.pl – AnFi – 2013-05-05T19:39:30.163

@Andrzej please see update – 4pie0 – 2013-05-05T19:41:21.833

I don't understand who responds to dig, I can see that +tcp is refused on my routers – 4pie0 – 2013-05-05T19:50:15.080

should I put DNS server address, i.e 8.8.8.8 in DHCP Settings in TP-Link or should I put there address of router, so 192.168.1.1, or maybe address of TP-Link 192.168.0.1? – 4pie0 – 2013-05-05T19:57:36.400

Answers

1

When you do dig @8.8.8.8 wp.pl a request is sent to Google's nameserver. Google's nameserver is not authoritative for the domain wp.pl.(whatever you may have set in your search domains); (The last bit could be a source of trouble; do dig @8.8.8.8 wp.pl. in the future to stop additional searches.), and if it doesn't have a cached record to give you, it will tell you what nameserver is authoritative for that domain; A second request will then be sent to the server Google gives you...

However... For nameservers, you might want to use the nameservers DHCP assigns you; I doubt both 192.168.1.1 and 0.1 were given to you. The lone DNS server I get from DHCP corresponds to my DSL modem/router's gateway, which means having only one resolver in my local configuration is perfect: if I can't reach my gateway, or if my gateway can't talk to whatever DNS servers it gets from its provisioning DHCP server (in which I have no visibility into), then it's unlikely any manual additions I add will provide any additional utility, but likely that it will decrease the performance of DNS queries, and thus, my perceived responsiveness of my Internet activities.

When I use the following tcpdump statement to look at DHCP data:

mini-nevie:~ root# tcpdump -i en1 -nv udp port 67 and udp port 68

the last packet I get from the DCHP server, an ACK(nowledgement) packet contains the configuration parameters for my host:

13:45:15.065227 IP (tos 0x71,ECT(1), ttl 64, id 42740, offset 0, flags [none], proto UDP (17), length 576)
    192.168.2.1.67 > 192.168.2.12.68: BOOTP/DHCP, Reply, length 548, xid 0x3392bc07, Flags [none]
      Your-IP 192.168.2.12
      Client-Ethernet-Address 68:a8:6d:58:5b:f3
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Subnet-Mask Option 1, length 4: 255.255.255.0
        Lease-Time Option 51, length 4: 259200
        Default-Gateway Option 3, length 4: 192.168.2.1
        Domain-Name-Server Option 6, length 8: 192.168.2.1,192.168.2.1
        Domain-Name Option 15, length 20: "no-domain-set.aliant"
        Server-ID Option 54, length 4: 192.168.2.1
        Hostname Option 12, length 10: "mini-nevie"

In the "Domain-Name-Server Option 6" field, the DHCP server provides me with 2 IP addresses; in this case, they're identical. They happen to match my gateway, 192.168.2.1. While I've looked all through my DSLmodem's config pages, I cannot see what servers it's using. In my previous service, I did PPOE right on my Mac, and IIRC, the two servers were local resolvers in my province.

My advice is to use the nameserver(s) that are provided to you via DHCP.

Nevin Williams

Posted 2013-05-05T18:49:18.070

Reputation: 3 725

192.168.0.1 and 1.1 were put by myself because I think maybe I should point to gateway? so you say, definitely I should put in every machine on my network even if it is nested in additional network not to my router 1.1 but to nameservers that I can see in router's configuration as received from ISP? – 4pie0 – 2013-05-06T11:28:12.657

I updated my initial post with more information. – Nevin Williams – 2013-05-08T20:50:34.283

thank you very much, please see the update, I have attached tcpdump output – 4pie0 – 2013-05-08T23:15:26.817

01:03:21.734093 IP ubuntuamd.local.56600 > 192.168.1.1.domain: 1574+ PTR? 255.1.168.192.in-addr.arpa. (44)

That's a DNS lookup trying to resolve the address 192.168.1.255. Unless you have a zone configured for 192.168.1, I would expect it to fail, as it's private IP space.

What IP address is your router; what is your DHCP-granted nameservers? – Nevin Williams – 2013-05-09T08:19:43.647

router is 192.168.1.1 Well. I had bind installed but uninstalled it. May it be some remainder of it? – 4pie0 – 2013-05-09T15:15:19.947

Well, a netstat -an looking for 53 or domain would tell you if a daemon was still running... – Nevin Williams – 2013-05-09T16:52:51.160

there is no named there or bind: see update – 4pie0 – 2013-05-09T17:31:10.493

Try to do what I did with dhcp (port 67 and 68), and use the domain servers provided in that message. – Nevin Williams – 2013-05-09T20:03:01.240

And perhaps start a new question regarding this entry tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1456/dnsmasq – Nevin Williams – 2013-05-09T20:04:13.807

tcpdump: en1: No such device exists. However eth0 works, this is it? – 4pie0 – 2013-05-09T20:13:18.700

alternatively can I use Wireshark to trace what DHCP will tell me? Is this the aim of this command? to see what DNS is suggested by DHCP? – 4pie0 – 2013-05-09T20:16:23.183

DNS provided is 192.168.1.1 please see full update (but 192.168.1.1 I can't dig directly, only 127.0.1.1) – 4pie0 – 2013-05-09T20:27:14.503

Asked: 2013-05-05T18:49:18.070

Viewed: 18 605 times

Active: 2019-10-06T23:27:05.930