Site Navigation

Date:      Mon, 29 Feb 2016 13:28:11 -0500
From:      Jon Radel <jon@radel.com>
To:        Sergei G <sergeig.public@gmail.com>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: DNS with host works, but not with mysql or ping
Message-ID:  <56D48DBB.5090305@radel.com>
In-Reply-To: <CAFLLzCM-fjeLKt3twK_ijiheVBX2BQjfx_8qrRNFi_1mAo-aLA@mail.gmail.com>
References:  <CAFLLzCMntj4X2vLWd1VG=heE5S5sNVFsiSPNqyc8MAwPiWbMOw@mail.gmail.com> <CAFLLzCM-fjeLKt3twK_ijiheVBX2BQjfx_8qrRNFi_1mAo-aLA@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 2/29/16 1:10 PM, Sergei G wrote:
> It appears that host is suffering from the same problem:
>
> host yahoo.com
> yahoo.com has address 206.190.36.45
> yahoo.com has address 98.138.253.109
> yahoo.com has address 98.139.183.24
> yahoo.com has IPv6 address 2001:4998:44:204::a7
> yahoo.com has IPv6 address 2001:4998:58:c02::a9
> yahoo.com has IPv6 address 2001:4998:c:a06::2:4008
> yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
> yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
> yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
>
>
> fetch  http://206.190.36.45  (yahoo)
> times out
Well, actually that's a different problem as that's not using the FQDN.
>
> On Mon, Feb 29, 2016 at 9:57 AM, Sergei G <sergeig.public@gmail.com> wrote:
>
>> If I use host command to resolve name to IP, then I get a correct IP.
>>
>> If I use ping, mysql, fetch commands, then DNS fails to resolve.  I can't
>> quite figure out what the difference is.
DNS fails to resolve or the connection times out?  I suspect the latter.
>> block drop in log on bce0 all
>> ...
>> pass in quick on bce0 inet proto udp from 10.0.1.0/24 to 10.0.1.10 port =
>> domain keep state
>> pass in quick on bce0 inet proto udp from 192.168.3.0/24 to 10.0.1.10
>> port = domain keep state
>> ...
>> pass out quick on bce0 inet proto udp from any to any port = domain keep
>> state
>> ...
I didn't analyze line-by-line in excruciating detail, but....   I rather 
suspect that the lack of a line that allows for outbound HTTP traffic 
that sets up state for the return packets means that all the HTTP return 
packets get zapped by your default drop.  DNS works so much better as 
you have a "pass out quick" for DNS that keeps state.  Since you log all 
that blockage, how about looking in your logs???????

BTW, given that your DNS pass statements are setup to allow only UDP, 
DNS is still broken, but only in an intermittent fashion that will 
eventually drive you insane.  You might want to fix that too.

--Jon Radel
jon@radel.com





[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e
0�	*�H��


��
�0��0���
�#��S��anzTgk!0
	*�H��


0o10	USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0�
"0
	*�H��



�
0�

�

��
�zSNpR�V�&��I���Q���ZI���`�zQB�y��"�aN��v#
�J�	�n�=ٺ�����.CRC|�2PȦOZ��ϓ%�{��0d��V��*$3��D�i��FK�3��@�����@���:�*S��= a<U��Nv%!)��|qvO��_���T���{5R���"=,0-1Y�R7�3i-C��֥�wgQ���'뼥8v���8�ߌ��I���s�:2���:=F:WtaP��@?��⟢!

��
0�
0U#0����z4�&���&T���$�T0U�ak�ᢠ�O�g�£�����0U

�
�0U

�0

�
0U%0+
+
0U 
00U 0DU=0;09�7�5�3http://crl.usertrust.com/AddTrustExternalCARoot.crl05+


)0'0%+
0
�http://ocsp.usertrust.com0
	*�H��


�

*n�U�:������U�ka+�	#��fjo����w^a�}�������[jr
A���X�&���M������X�"c�R��6�}X�ޫ;c���s����{���B#�ʶ�M>�K��-�ػBK�i�ۦ74�{�
���:ǟO�4n�e�������6����d)5�ֱ�q�C��>��2S�v�ʆ4�,��Jؙ
��␒�ZBj#!�e��ջ~ꌅ b��:,Yř3�8���zy�J&�|���0��0��
sT�<}k��
`i
��
0
	*�H��


0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
150330000000Z
180329235959Z0��10	UUS10U2215010	UVA10USpringfield10U	6917 Ridgeway Dr.10U
Jon T. Radel1200U)Issued through Jon T. Radel E-PKI Manager10UCorporate Secure Email10U	Jon Radel10	*�H��

	

jon@radel.com0�
"0
	*�H��



�
0�

�

��a�Щ������@@g3eGރ�͛�;	�d�#��>�q7&Hf�
:��3�v�L"��jV#�Xݷ�>U��-�H[$�S�Uڻ�{�Ϝ�,���z¶���I���chO��=rcy��r����n�v.V��h�7��k;���%u�e�Y��uӬ��󯅅���n�z����6!| !�A�ȡ�+�,�����u�+ 
�CA�պF-��u�n�#�vj���UJ��W�nk%�j]�
2�JP�kl��

��
�0�
�0U#0��ak�ᢠ�O�g�£�����0U��
�E�|G�Dp��/�ʚB�0U

��0U

�00U%0+
+
0FU ?0=0;+

�1

0+0)+

https://secure.comodo.net/CPS0]UV0T0R�P�N�Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl0��+


��0��0X+
0�Lhttp://crt.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crt0$+
0
�http://ocsp.comodoca.com0U0�
jon@radel.com0
	*�H��


�

KS��`?���H���_D`�8G߿VbĘ��<��t�B-Ӈї|��{'��Ũ�ݹg0Gp�$��������������%F(;*��M��O*g����t�$@�����t6���,�?0���|�#�ă�z�,�&!{j�2i��[%�b�7ߪ�P+�9G�㲍["y<?���8rZ'��[U���R6%����L̤
��w"�=:L����~�Ƨ^��jf���3�6� ��OP��1�•.}(��e�1�A0�=

0��0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CAsT�<}k��
`i
��
0
	`�H
e
��a0	*�H��

	1	*�H��


0	*�H��

	1
160229182811Z0/	*�H��

	1" R���� X�:$tN-a�Y��;��@��PM���^0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CAsT�<}k��
`i
��
0��*�H��

	1�����0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CAsT�<}k��
`i
��
0
	*�H��



�
<O_;�V������J��(X� +9S���c܍\d�����7v*�WC"F��E9^ϡ:��R�c8i,65ꊌ:�(X|�^���dS�M-Y��Vj�
Np�����D��ȍ�ʷ�U�B9����8P��L��V�b��pæM�K[F�}����Ȋ|��Y�w��WM��Q����`�k������,B:���j#u"��+���rY;,�H�;GrKW�~�Է���ۄ�z"U�F�/o,ix
�)�V��q!�0�'t %9;+

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56D48DBB.5090305>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact