<div dir="ltr">Hi Brian<div><br></div><div><br></div><div>My replies below inline: </div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 24, 2015 at 1:46 AM, Brian Candler <span dir="ltr"><<a href="mailto:brian@nsrc.org" target="_blank">brian@nsrc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 23/12/2015 19:44, Anurag Bhatia
wrote:<br>
</div>
<blockquote type="cite">
<div>I don't have routing issues with those IPs. ICMP is working
perfactly fine and hence server is reachable. </div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace" size="1">anurag@server7:~$
ping -c 5 103.9.185.229</font></div>
<div><font face="monospace, monospace" size="1">PING
103.9.185.229 (103.9.185.229) 56(84) bytes of data.</font></div>
<div><font face="monospace, monospace" size="1">64 bytes from <a href="http://103.9.185.229" target="_blank">103.9.185.229</a>:
icmp_seq=1 ttl=55 time=209 ms</font></div>
<div><font face="monospace, monospace" size="1">64 bytes from <a href="http://103.9.185.229" target="_blank">103.9.185.229</a>:
icmp_seq=2 ttl=55 time=209 ms</font></div>
<div><font face="monospace, monospace" size="1">64 bytes from <a href="http://103.9.185.229" target="_blank">103.9.185.229</a>:
icmp_seq=3 ttl=55 time=209 ms</font></div>
<div><font face="monospace, monospace" size="1">64 bytes from <a href="http://103.9.185.229" target="_blank">103.9.185.229</a>:
icmp_seq=4 ttl=55 time=209 ms</font></div>
<div><font face="monospace, monospace" size="1">64 bytes from <a href="http://103.9.185.229" target="_blank">103.9.185.229</a>:
icmp_seq=5 ttl=55 time=209 ms</font></div>
<div><font face="monospace, monospace" size="1"><br>
</font></div>
<div><font face="monospace, monospace" size="1">---
103.9.185.229 ping statistics ---</font></div>
<div><font face="monospace, monospace" size="1">5 packets
transmitted, 5 received, 0% packet loss, time 4007ms</font></div>
<div><font face="monospace, monospace" size="1">rtt
min/avg/max/mdev = 209.578/209.646/209.734/0.056 ms</font></div>
<div><font face="monospace, monospace" size="1"><br>
</font></div>
</div>
</blockquote></span>
But you're saying you can't get DNS responses when querying from
server7, right?<br></div></blockquote><div>Yes. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
# on server7<br>
dig @<a href="http://183.9.185.229" target="_blank">183.9.185.229</a> <a href="http://btraccl.net" target="_blank">btraccl.net</a> mx<br>
# no reply?<br>
<br></div></blockquote><div>Typo in IP here. Querying on actual IP which is 103....</div><div><br></div><div><br></div><div><div><font size="1" face="monospace, monospace">anurag@server7:~$ dig @<a href="http://103.9.185.229">103.9.185.229</a> <a href="http://btraccl.net">btraccl.net</a> mx</font></div><div><font size="1" face="monospace, monospace"><br></font></div><div><font size="1" face="monospace, monospace">; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> @<a href="http://103.9.185.229">103.9.185.229</a> <a href="http://btraccl.net">btraccl.net</a> mx</font></div><div><font size="1" face="monospace, monospace">; (1 server found)</font></div><div><font size="1" face="monospace, monospace">;; global options: +cmd</font></div><div><font size="1" face="monospace, monospace">;; connection timed out; no servers could be reached</font></div><div><font size="1" face="monospace, monospace">anurag@server7:~$</font></div></div><div><br></div><div><b>So yes, no replies. </b></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
OK, then unless someone is spoofing ICMP echo, then either:<br>
* there is some filtering going on somewhere<br>
* your nameserver isn't answering queries from certain addresses
(unlikely but possible).<br>
<br>
I suggest running tcpdump on your nameserver as suggested before:<br>
<br>
tcpdump -i eth0 -nn -s0 -v host <server7 IP></div></blockquote><div><br></div><div><br></div><div>Your reply is bit confusing from part below since I own and manage the test server (server7) not Jasim's server. :)</div><div><br></div><div>Keep in mind I am not running <a href="http://btraccl.net">btraccl.net</a> DNS servers. It's Jasim who is having trouble. But yes I get hints you are sharing for troubleshooting. :) </div><div><br></div><div><br>For me as outsider DNS query packets are failing. I just do not see any replies. ICMP and trace works and does ends up at right destination. </div><div><br></div><div><br></div><div><div><font size="1" face="monospace, monospace">anurag@server7:~$ mtr -wrc 5 103.9.185.229</font></div><div><font size="1" face="monospace, monospace">Start: Thu Dec 24 01:54:58 2015</font></div><div><font size="1" face="monospace, monospace">HOST: <a href="http://server7.anuragbhatia.com">server7.anuragbhatia.com</a> Loss% Snt Last Avg Best Wrst StDev</font></div><div><font size="1" face="monospace, monospace"> 1.|-- <a href="http://gw.giga-dns.com">gw.giga-dns.com</a> 0.0% 5 1.5 5.2 0.4 22.5 9.7</font></div><div><font size="1" face="monospace, monospace"> 2.|-- <a href="http://host-93-104-204-33.customer.m-online.net">host-93-104-204-33.customer.m-online.net</a> 0.0% 5 30.1 8.7 0.6 30.1 12.4</font></div><div><font size="1" face="monospace, monospace"> 3.|-- <a href="http://ae2.rt-decix-2.m-online.net">ae2.rt-decix-2.m-online.net</a> 0.0% 5 7.5 11.2 7.5 21.4 5.8</font></div><div><font size="1" face="monospace, monospace"> 4.|-- <a href="http://dx1.in.airtel.com">dx1.in.airtel.com</a> 0.0% 5 29.0 29.4 29.0 31.0 0.7</font></div><div><font size="1" face="monospace, monospace"> 5.|-- 182.79.234.201 0.0% 5 154.5 157.0 154.3 166.1 5.1</font></div><div><font size="1" face="monospace, monospace"> 6.|-- <a href="http://aes-static-190.137.144.59.airtel.in">aes-static-190.137.144.59.airtel.in</a> 0.0% 5 205.1 204.9 204.0 206.7 0.9</font></div><div><font size="1" face="monospace, monospace"> 7.|-- 103.7.249.110 0.0% 5 204.1 204.2 204.1 204.3 0.0</font></div><div><font size="1" face="monospace, monospace"> 8.|-- <a href="http://po1-ar1-bn1-dh.equitel.com.bd">po1-ar1-bn1-dh.equitel.com.bd</a> 0.0% 5 204.5 205.2 204.5 207.5 0.9</font></div><div><font size="1" face="monospace, monospace"> 9.|-- 103.9.186.130 20.0% 5 212.5 211.5 210.6 212.5 0.8</font></div><div><font size="1" face="monospace, monospace"> 10.|-- 103.9.185.229 20.0% 5 210.5 209.9 209.6 210.5 0.0</font></div><div><font size="1" face="monospace, monospace">anurag@server7:~$</font></div></div><div><br></div><div><br></div><div><br></div><div>But yes if queries work for you from UK IP while failing from this German server then surely it's issue with selective filtering. I can't relate to a routing issue. Just some bad filtering on firewall (on server or before server - hop 9 probably). </div><div><br></div><div><br></div><div><br></div><div><br></div><div>Thanks. </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"> </div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
and repeat the query from server7. This will demonstrate whether the
filtering is of the inbound packets. Incidentally, try also the ping
from server7 and check this tcpdump sees the inbound icmp echo
requests and outbound icmp echo replies. (It's not entirely
impossible that some firewall somewhere is spoofing the icmp)<br>
<br>
So the scenarios you might have are:<br>
- no packet arrives<br>
- the packet arrives, but no response is sent<br>
- the packet arrives and response is sent (but the response doesn't
reach the client)<br>
<br>
If udp port 53 packets aren't arriving at the server, then they are
being filtered somewhere. Certainly some ISPs do filter UDP port 53
and/or UDP port 123; this is because their customers have been known
to participate in DNS reflection and/or NTP reflection attacks. If
you can prove your ISP is doing this, then they can fix it for you.
If it only happens to certain parts of the Internet then it could be
the filtering is taking place on one of their upstreams but not the
other. (*)<br>
<br>
If you have root on server7, then try this:<br>
<br>
# in one window<br>
sudo tcpdump -i eth0 -nn -s0 -v host 103.9.185.229 or icmp<br>
# in another window<br>
dig @<a href="http://103.9.185.229" target="_blank">103.9.185.229</a> <a href="http://btraccl.net" target="_blank">btraccl.net</a> mx<br>
<br>
If you are lucky, you may see an "ICMP Admin Prohibited" message
coming back from somewhere. If you do, the source address of this
packet will tell you which router is blocking the packet.<br>
<br>
Regards,<br>
<br>
Brian.<br>
<br>
(*) Looking on <a href="http://route-views.oregon-ix.net" target="_blank">route-views.oregon-ix.net</a>, I see that AS58616 appears
to have two upstreams: AS58587 and AS132602. That agrees with this:<br>
<a href="http://bgp.he.net/AS58616#_graph4" target="_blank">http://bgp.he.net/AS58616#_graph4</a><br>
<br>
Traceroutes from affected and unaffected parts of the Internet may
give you some clues as to which AS's the packets are passing
through.<br>
<br>
<br>
<br>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font face="arial, helvetica, sans-serif"><br></font></div><div><br></div><font face="arial, helvetica, sans-serif">Anurag Bhatia<br></font><div></div><div><font face="arial, helvetica, sans-serif"><a href="http://anuragbhatia.com" target="_blank">anuragbhatia.com</a></font><div><br></div></div><div><font face="arial, helvetica, sans-serif"><a><br></a></font></div><div>PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2</div></div></div></div></div>
</div></div>