There was a setting in Cisco which would handle the host behind the NAT differently when the DNS traffic passed the matching NAT.
I found a bug in the Cisco devices more than 10+ years ago when it would mangle the TTL to `0`. I don’t really remember the details though, but it’s not only the `ip inspect` that might be at fault. Ondrej -- Ondřej Surý ond...@isc.org > On 21 Apr 2020, at 21:14, John Wiles <j...@iotis.org> wrote: > > The only ip inspect lines that I could find in the current config are: > > ip inspect dns-timeout 7200 > ip inspect name CCP_HIGH dns > > John > >> -----Original Message----- >> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of >> Matthew Richardson >> Sent: Tuesday, April 21, 2020 2:55 PM >> To: bind-users@lists.isc.org >> Subject: Re: NAT and Question Section Mismatch >> >> Out of interest, what "ip inspect" settings exist in the Cisco 2911 config? >> >> Do any of these reference "dns"? If so, this may be your problem... >> >> Best wishes, >> Matthew >> >> ------ >>> From: John Wiles <j...@iotis.org> >>> To: Tony Finch <d...@dotat.at> >>> Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> >>> Date: Tue, 21 Apr 2020 14:08:24 -0400 >>> Subject: RE: NAT and Question Section Mismatch >> >>>> -----Original Message----- >>>> From: John Wiles >>>> Sent: Sunday, April 19, 2020 11:18 PM >>>> To: 'Tony Finch' <d...@dotat.at> >>>> Cc: bind-users@lists.isc.org >>>> Subject: RE: NAT and Question Section Mismatch >>>> >>>>>> >>>>>> I am running into a problem that I think is caused by either a >>>>>> misconfiguration in Bind9, our Cisco NAT, or perhaps both. >>>>>> >>>>>> When I am on our internal network, I am able to query both >>>>>> servers and get the appropriate external ip address. However, >>>>>> when I try to do the same thing externally I get "Question >>>>>> section mismatch: got 6.1.1.10.in-addr.arpa/PTR/IN." >>>>> >>>>> I bet this is a PIX/ASA fixup fuxup. >>>>> >>>>> Tony. >>>> >>>> Tony thanks for the response. >>>> >>>> I'm assuming that applies to either DNS inspection and/or the fixup >>>> command. I'm asking the person that handles the cisco config to review. >>>> >>>> I also just realized I forgot to mention that it is a 2911 ISR. >>>> >>>> John >>>> >>> >>> After going through the router config my cisco person is pretty sure that >> there is nothing in the configuration that is causing this. >>> >>> But I'm not so certain since it appears to only affect the hosts that are >>> in the >> NAT. For example, my nslookup results from home: >>> >>>> server 72.162.32.4 >>> Default server: 72.162.32.4 >>> Address: 72.162.32.4#53 >>>> 72.162.32.2 >>> 2.32.162.72.in-addr.arpa name = gw.iotis.org. >>>> 72.162.32.3 >>> ;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; >>> ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; ;; >>> Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; >>> connection timed out; no servers could be reached >>> >>>> 72.162.32.4 >>> ;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; >>> ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; ;; >>> Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; >>> connection timed out; no servers could be reached >>> >>>> 72.162.32.19 >>> 19.32.162.72.in-addr.arpa name = badmx2.iotis.org. >>>> 72.162.32.18 >>> 18.32.162.72.in-addr.arpa name = badmx.iotis.org. >>> >>> >>> >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users