We have recently added an external DNS lookup server address in our Link controller under the System --> configuration --> device --> dns --> DNS Lookup Server List
However, when we do a normal nslookup to any url (e.g: google.com), it is unable to resolve the DNS.
[Active:In Sync] config dig @8.8.8.8 google.com
; <<>> DiG 9.9.6-P1 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@23ZLC02:Active:In Sync] config nslookup google.com
;; connection timed out; no servers could be reached
But LC has external connectivity:
[Active:In Sync] config ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=3.23 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=3.16 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=45 time=4.32 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=45 time=7.91 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=45 time=3.30 ms
However, it does work if we use the dig command with tcp:
[Active:In Sync] config dig @8.8.8.8 google.com +tcp
; <<>> DiG 9.9.6-P1 <<>> @8.8.8.8 google.com +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47990
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 299 IN A 74.125.24.100
google.com. 299 IN A 74.125.24.139
google.com. 299 IN A 74.125.24.138
google.com. 299 IN A 74.125.24.101
google.com. 299 IN A 74.125.24.102
google.com. 299 IN A 74.125.24.113
;; Query time: 9 msec
;; SERVER: 8.8.8.853(8.8.8.8)
;; WHEN: Tue Jan 09 21:17:10 SGT 2018
;; MSG SIZE rcvd: 135
Here is the TCPDUMP output:
[Active:In Sync] config tcpdump -ni 0.0 -s0 host 8.8.8.8 and udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:34:58.297492 IP 203.127.17.5.54771 > 8.8.8.8.domain: 9669+ [1au] A? google.com. (39) out slot1/tmm0 lis=
19:35:03.297323 IP 203.127.17.5.54771 > 8.8.8.8.domain: 9669+ [1au] A? google.com. (39) out slot1/tmm0 lis=
19:35:08.297432 IP 203.127.17.5.54771 > 8.8.8.8.domain: 9669+ [1au] A? google.com. (39) out slot1/tmm0 lis=
Port 53 seems to be open as well:
[Active:In Sync] config telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
Connection closed by foreign host.
The network connection flow is Link controller --> IPS --> Router --> Internet
Hello,
Regarding your last comment "Port 53 seems to be open as well". It's normal because telnet use TCP only.
Can you tell me if you have a Fw between your LC and your ISP.
Because as you explain you can reach the google dns trough TCP but not UDP so I suppose that rooting is working fine and this problem can come maybe from perimeter security...
Regards,
Hi youssef,
The only thing is there is an IPS between the LC and the Router (external router facing internet).
Unfortunately, we dont have access on both the IPS and Router as they are not being manage by us.
Is there other way to test it from LC to see if the UDP/53 is being block?
I suppose that you create a wildcard VS on F5 (for outbound traffic).
ex: 0.0.0.0:*
Can you tell me what protocol did you set (all protocol or just TCP)
