[ale] still trying to figure it out

David S. Jackson dsj at sylvester.dsj.net
Mon Aug 4 12:28:35 EDT 2003


On Mon, Aug 04, 2003 at 08:26:39AM -0400 Geoffrey The Esoteric <esoteric at 3times25.net> wrote:
> David S. Jackson wrote:
> 
> >using the same tcpdump arguments.  At least this says the packet
> >length, right?  If you gave the same query, would a shorter
> >packet length prove your firewall rules (or something) are
> >mangling the packet before it makes it back to your dig client?
> 
> Packet length is the same.

I guess the obvious thing at this time is to start looking at the
rules for your firewall.  Are you using a homegrown ruleset?  Are
you using a commercial firewall/linux distro, like smoothwall or
something?

I think we've ruled out the client being at fault.  Not sure if
we mentioned it, but you've tried this same experiment on
different nat'ed hosts with the same results, right?  You've used
different browser and proxy settings.  (Do you even use a proxy,
transparent or otherwise?)

You mentioned earlier that you only allow transfers to/from your
ISP's nameservers.  If that were a factor, I'd think you'd have
trouble resolving other hosts/domains too.  I mean, does the zone
get transferred when you dig from ns.speedfactory.com (or
whatever the dns servers are)?  It does, doesn't it?  (I think
you showed that earlier.)  Could there be any reason why
csplans.com doesn't transfer a zone to speedfactory.com's
nameservers?

If nothing else works, I think it might be worth trying
commenting out certain parts of the rulesets, restarting the
firewalling daemon, and seeing if that affects the dns query
results.  Just to see if that gets you any closer to the
ballpark.  If you get a complete answer to your dns query, at
least you have a direction to procede in.

My guess is there's something peculiar that csplans.com is doing
that makes it hiccup with speedfactory's nameservers.  I'd be
surprised if there's very much amiss with your rules, because you
probably would have noticed a problem earlier.  Unless, have you
been changing your rulesets around lately?

-- 
David S. Jackson                        dsj at dsj.net
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Is it weird in here, or is it just me?
		-- Steven Wright
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list