Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS ID Mismatch

Status
Not open for further replies.

benso37

IS-IT--Management
Jan 2, 2008
22
US
I have two DNS servers running an in a multi subnet environment. Both DNS server work fine but I'm getting DNS ID mismatch and the firewall doesn't like that at all.

Anyone know why there might be a DNS mismatch and if so how to fix it? One is a primary and the other is the secondary.
 
Is it for external queries? Are you forwarding the request? Are your servers behind a load balancer?
What is happening is that each query is assigned a number, and the response has a different query number.

Most likely causes are a remote server is misconfigured (if it only happens to a particular site). Or something (FW or LB) is monkeying with the DNS packet.
 
This only happens with internal queries. I'm not using any forwarders...I only have the default root hints doing all the name resolution (for internal and external addresses)). I'm not using a load balancer.

Also, I'm looking at a log from my sniffer and I'm seeing a lot of source addresses I'm not familiar with. Such as dns3.weather.com, c.l.google.com, etc. How are these getting in here? Are my root hints somehow using these nameservers to resolve names?

 
Sure, for instance weather.com's DNS servers are dns1, dns2, dns3. So any weather.com query, not in cache, will have to ask those servers for auth answers.

What firewall do you run?
 
Thanks a lot for that information about the nameservers, that will save me some time. Now I have to figure out what's going on with the different DNS ID's.

I have a CISCO WS-SVC-FWM 1 module.
 
Since I have two DNS servers/suffix...All clients are configured with both DNS servers/suffix. Is it possible that the mismatch DNS ID occurs because a client tries to contact another client using suffix 1 but fails so suffix 2 is used to reach the client, hence, generating a different ID?

Does that make any sense?
 
I am not a PIX expert, but I believe the problem is due to DNS "fixup", is that enabled?
 
fixup is enabled but is it a good idea to disable it? I just want to make sure my DNS servers are setup right before I disable fixup. Do you know of any other reasons why DNS ID's might mismatch?
 
Is the DNS mismatch say "reply from unexpected source?"
or are the IDs different?

 
In my syslog I see messages such as "Denied UDP<dnsservername>/53 to 192.22.12.1 /37044 due to DNS response.

And in the snipper capture I did, I see something similar to this:


<Source> <Destination> DNS: C ID=12345 OP=QUERY NAME=

<Source> <Destination> DNS: R ID=23451 OP=QUERY STAT=Server failure NAME=

As you can see, the query was done with DNS ID 12345 but the response came back with an ID of 23451. This then get's denied by the firewall because it thinks is a DNS ID Spoof.

Who assigns the ID's anyway, the client or the server? It doesn't mention anything about Unexpected source but the IDs are definitely different.
 
Assigns it is the DNS server on your side.
So what happens as the DNS request flows out, the FW catches it, rewrites it. When it comes back, it checks for size and ID, then forwards it back to you, correctly rewritten. That way you see only one correct response.

I would check your CISCO rep to see if you are running the correct pix load. I know that there were problems with extended DNS and dns fixup, but I thought those were fixed.

The other ways this might be in error are external to you, like the remote is incorrectly NATed loadbalancer or experiencing some type of cache poisoning. If this is happening to all requests, I doubt that is the issue.
 
Interesting enough, when I look at the hex value for the DNS ID, its' a total reverse. For example, DNS ID for a request is 52130, the response comes back with a DNS ID of 41675.

52130 = cb a2
41675 = a2 cb

What in the world is going on here? LOL.

I'm waiting for OS update for my CISCO equipment but I doubt that will fix this annoyance.
 
Another question that might help me solve this headache.

If client A types in google.com, the request gets assigned a DNS ID of 52130 by my internal DNS server, the request then goes to the root hints for name resolution since I don't have any forwarders setup, right?

Wouldn't it be safe to say the root hints are the culprit here since the root hints is the one sending back the response with a different ID?

Which eventually gets blocked by the firewall.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top