Date: Mon, 19 Sep 2016 11:17:12 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-questions@freebsd.org Subject: Re: When `drill` works but `nc` doesn't Message-ID: <20160919091712.cxgkc4mcvekdo2gl@box-hlm-03.niklaas.eu> In-Reply-To: <20160918202959.GA2279@vps.markoturk.info> References: <20160917134155.GA77669@box-hlm-03.niklaas.eu> <20160917192342.GA2305@vps.markoturk.info> <20160918113409.q7frsljfr2hcbj6g@box-hlm-03.niklaas.eu> <20160918202959.GA2279@vps.markoturk.info>
next in thread | previous in thread | raw e-mail | index | archive | help
--mry5hrfptm526vkm Content-Type: multipart/mixed; boundary="spdcgyrmw4orje3c" Content-Disposition: inline --spdcgyrmw4orje3c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Marko Turk [2016-09-18 22:29 +0200] : > can you also add something like 'dst host 10.3.4.1' because (if I'm not > mistaken) you only capture packets originating from 10.3.4.1 and not the > replys. You're right, I filtered out the replies. I attached a new tcpdump resulting from 1 $ sudo tcpdump -nettti lo0 \ 2 host 10.3.4.1 or host 10.77.4.1 or \ 3 host fd16:dcc0:f4cc:3::4:1 or host fd16:dcc0:f4cc:77::4:1 or \ 4 host 10.3.5.3 or host 10.77.5.3 or \ 5 host fd16:dcc0:f4cc:3::5:3 or host fd16:dcc0:f4cc:77::5:3 and \ 6 not host 10.77.2.1 and not host 10.3.2.1 and not port 8080 > \ 7 /tmp/tcpdump-nc2 Lines 2-5 match anything from the hosts in question (www1 and mysql2); line 6 removes packets created by my proxy's health checks and my varnish-nginx set-up. The packets you can see in "tcpdump-nc2" are (again) created by the following command: $ sudo jexec www1 nc -z mysql2.box-hlm-03.klaas 3306 > > Investigating the dump I came across the following line: > >=20 > > 00:00:00.000265 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.= 3.4.1 udp port 17918 unreachable, length 36 > > [cut] >=20 > It seems you're getting the reply from the wrong IP (10.3.3.1). Can you > post you unbound config, specifically 'interface:' section? As you suspected correctly, the tcpdump reveals the following: 1 00:00:00.000000 AF IPv4 (2), length 73: 10.3.4.1.47995 > 10.77.3.1.53:= 13167+ A? mysql2.box-hlm-03.klaas. (41) 2 00:00:00.000164 AF IPv4 (2), length 226: 10.3.3.1.53 > 10.3.4.1.47995:= 13167 1/2/4 A 10.3.5.3 (194) 3 00:00:00.000062 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3= =2E4.1 udp port 47995 unreachable, length 36 4 00:00:01.031999 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.60810 = > fd16:dcc0:f4cc:77::3:1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41) 5 00:00:00.000233 AF IPv6 (28), length 246: fd16:dcc0:f4cc:77::3:1.53 > = fd16:dcc0:f4cc:77::4:1.60810: 13167 1/2/4 A 10.3.5.3 (194) Lines 1-2 show that www1 consults IP 10.77.3.1 (b/c /etc/resolv.conf says so) but unbound (listening on both 10.{3,77}.3.1) replies on 10.3.3.1. (Not bad that you found that out with half of the output missing, by the way!) I also attached my unbound.conf. These should be the lines of the most interest: interface: 0.0.0.0 interface: ::0 access-control: 10.0.0.0/8 allow access-control: fd16:dcc0:f4cc::/48 allow I checked unbound.conf(5) and stumbled upon the following: interface-automatic: <yes or no> Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. Do I need that? Do you know why it works on IPv6 but doesn't on IPv4? Thank you very much for your help! Niklaas --spdcgyrmw4orje3c Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=tcpdump-nc2 00:00:00.000000 AF IPv4 (2), length 73: 10.3.4.1.47995 > 10.77.3.1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41) 00:00:00.000164 AF IPv4 (2), length 226: 10.3.3.1.53 > 10.3.4.1.47995: 13167 1/2/4 A 10.3.5.3 (194) 00:00:00.000062 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 47995 unreachable, length 36 00:00:01.031999 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.60810 > fd16:dcc0:f4cc:77::3:1.53: 13167+ A? mysql2.box-hlm-03.klaas. (41) 00:00:00.000233 AF IPv6 (28), length 246: fd16:dcc0:f4cc:77::3:1.53 > fd16:dcc0:f4cc:77::4:1.60810: 13167 1/2/4 A 10.3.5.3 (194) 00:00:00.000211 AF IPv4 (2), length 73: 10.3.4.1.58499 > 10.77.3.1.53: 56993+ AAAA? mysql2.box-hlm-03.klaas. (41) 00:00:00.000122 AF IPv4 (2), length 238: 10.3.3.1.53 > 10.3.4.1.58499: 56993 1/2/4 AAAA fd16:dcc0:f4cc:3::5:3 (206) 00:00:00.000055 AF IPv4 (2), length 60: 10.3.4.1 > 10.3.3.1: ICMP 10.3.4.1 udp port 58499 unreachable, length 36 00:00:01.020438 AF IPv6 (28), length 93: fd16:dcc0:f4cc:77::4:1.61340 > fd16:dcc0:f4cc:77::3:1.53: 56993+ AAAA? mysql2.box-hlm-03.klaas. (41) 00:00:00.000211 AF IPv6 (28), length 258: fd16:dcc0:f4cc:77::3:1.53 > fd16:dcc0:f4cc:77::4:1.61340: 56993 1/2/4 AAAA fd16:dcc0:f4cc:3::5:3 (206) 00:00:00.000281 AF IPv4 (2), length 64: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [S], seq 1484750364, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 1611172442 ecr 0], length 0 00:00:00.000089 AF IPv4 (2), length 64: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [S.], seq 2014966415, ack 1484750365, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 2427400641 ecr 1611172442], length 0 00:00:00.000054 AF IPv4 (2), length 56: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [.], ack 1, win 1275, options [nop,nop,TS val 1611172442 ecr 2427400641], length 0 00:00:00.000378 AF IPv4 (2), length 162: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [P.], seq 1:107, ack 1, win 1275, options [nop,nop,TS val 2427400642 ecr 1611172442], length 106 00:00:00.000041 AF IPv4 (2), length 56: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [F.], seq 107, ack 1, win 1275, options [nop,nop,TS val 2427400642 ecr 1611172442], length 0 00:00:00.000049 AF IPv4 (2), length 56: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [.], ack 108, win 1274, options [nop,nop,TS val 1611172443 ecr 2427400642], length 0 00:00:00.000454 AF IPv4 (2), length 56: 10.3.4.1.50403 > 10.3.5.3.3306: Flags [F.], seq 1, ack 108, win 1275, options [nop,nop,TS val 1611172443 ecr 2427400642], length 0 00:00:00.000040 AF IPv4 (2), length 56: 10.3.5.3.3306 > 10.3.4.1.50403: Flags [.], ack 2, win 1275, options [nop,nop,TS val 2427400642 ecr 1611172443], length 0 --spdcgyrmw4orje3c Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="unbound.conf" server: verbosity: 1 # logfile: unbound.log interface: 0.0.0.0 interface: ::0 access-control: 10.0.0.0/8 allow access-control: fd16:dcc0:f4cc::/48 allow domain-insecure: "klaas." domain-insecure: "10.in-addr.arpa." domain-insecure: "d.f.ip6.arpa." local-zone: "10.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault # Because of hairpin NAT local-zone: "niklaas.eu." typetransparent local-data: "pkg.niklaas.eu. IN A 10.3.4.1" local-data: "pkg.niklaas.eu. IN AAAA fd16:dcc0:f4cc:3::4:1" local-data: "mail.niklaas.eu. IN A 10.77.2.1" local-data: "mail.niklaas.eu. IN AAAA fd16:dcc0:f4cc:77::2:1" local-zone: "financecomm.com." typetransparent local-data: "pkg.financecomm.com. IN AAAA 2a01:4f8:121:52ad::2:5" python: remote-control: stub-zone: name: "klaas." stub-addr: 10.1.3.2 stub-addr: 10.3.3.2 stub-zone: name: "10.in-addr.arpa." stub-addr: 10.1.3.2 stub-addr: 10.3.3.2 stub-zone: name: "c.c.4.f.0.c.c.d.6.1.d.f.ip6.arpa." stub-addr: 10.1.3.2 stub-addr: 10.3.3.2 forward-zone: name: "." forward-addr: 198.101.242.72 # Alternate DNS forward-addr: 208.67.222.222 # OpenDNS forward-addr: 208.67.220.220 # OpenDNS forward-addr: 2620:0:ccc::2 # OpenDNS forward-addr: 2620:0:ccd::2 # OpenDNS forward-addr: 84.200.69.80 # DNS.Watch forward-addr: 84.200.70.40 # DNS.Watch forward-addr: 2001:1608:10:25::1c04:b12f # DNS.Watch forward-addr: 2001:1608:10:25::9249:d69b # DNS.Watch # search "public dns servers" on duckduckgo.com for more # vim:set ft=conf: --spdcgyrmw4orje3c-- --mry5hrfptm526vkm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX360SAAoJEJArKu48GaI6De0QAMM/adLH1qoGvQdxbZAn3oPw GlSnw98NOoCfM+j3OZLrLvJmrtb+CwMkiO6ZN0chlnZn1VS1S6hjfEdUHBPMuo3D VxkzOMRgpNrrnXkF6AULM8ROrba8Wg93QGtacXHLpxGdZHmxBajv0ceI8F9yz7Ar nRjqatQRofYupfPuUv4rTWCrKWZWRBpJGGM/stcroUtfux5fPTOmqQItyCy7yxcH k21bfdYNCLREKB11Hg9jOsOFjPispwvnlKYia80tLaCgl+q4Y26DHLyzJ0kMw4Iy a6YS1CwiYnyhKyMe/zaXIu/AM1hAeGSe2SSf0tvAA5IPgPTfSuuIRW/nCSovHuAg BmLpsiWCyv/CxacGy8SP7G4QK9WYIT12UJsSNKrXhAHUAxmAkpDcG3db9MtxO//U CBxTjbj7bzs6Vit1NiUVpM0P7wa0mkbUyIXAKHJBeCsm7kD7M4XxpqeQhueduSCB l0Buxxhh4dsNDcSkERYrmGa++wowqztPJg6BI8lnrbDCz94F1+hI6FIl+1IzpCmH 3PFNP82lTg+L0olXZ9YdEfz034ive78mUj6pOb9knwEjU/PUpk1n+6tCrl4iTz1H ADih95O4p/DVI6SwAm250GLvbQlKE/g+zuHZb9qAVFCgdmTJJAO9f+0oxTf+YA+p IKGKym6ZBuX53C3yiV9z =MRSh -----END PGP SIGNATURE----- --mry5hrfptm526vkm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160919091712.cxgkc4mcvekdo2gl>