The only ip inspect lines that I could find in the current config are: ip inspect dns-timeout 7200 ip inspect name CCP_HIGH dns
John > -----Original Message----- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > Matthew Richardson > Sent: Tuesday, April 21, 2020 2:55 PM > To: bind-users@lists.isc.org > Subject: Re: NAT and Question Section Mismatch > > Out of interest, what "ip inspect" settings exist in the Cisco 2911 config? > > Do any of these reference "dns"? If so, this may be your problem... > > Best wishes, > Matthew > > ------ > >From: John Wiles <j...@iotis.org> > >To: Tony Finch <d...@dotat.at> > >Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> > >Date: Tue, 21 Apr 2020 14:08:24 -0400 > >Subject: RE: NAT and Question Section Mismatch > > >> -----Original Message----- > >> From: John Wiles > >> Sent: Sunday, April 19, 2020 11:18 PM > >> To: 'Tony Finch' <d...@dotat.at> > >> Cc: bind-users@lists.isc.org > >> Subject: RE: NAT and Question Section Mismatch > >> > >> > > > >> > > I am running into a problem that I think is caused by either a > >> > > misconfiguration in Bind9, our Cisco NAT, or perhaps both. > >> > > > >> > > When I am on our internal network, I am able to query both > >> > > servers and get the appropriate external ip address. However, > >> > > when I try to do the same thing externally I get "Question > >> > > section mismatch: got 6.1.1.10.in-addr.arpa/PTR/IN." > >> > > >> > I bet this is a PIX/ASA fixup fuxup. > >> > > >> > Tony. > >> > >> Tony thanks for the response. > >> > >> I'm assuming that applies to either DNS inspection and/or the fixup > >> command. I'm asking the person that handles the cisco config to review. > >> > >> I also just realized I forgot to mention that it is a 2911 ISR. > >> > >> John > >> > > > >After going through the router config my cisco person is pretty sure that > there is nothing in the configuration that is causing this. > > > >But I'm not so certain since it appears to only affect the hosts that are in > >the > NAT. For example, my nslookup results from home: > > > >> server 72.162.32.4 > >Default server: 72.162.32.4 > >Address: 72.162.32.4#53 > >> 72.162.32.2 > >2.32.162.72.in-addr.arpa name = gw.iotis.org. > >> 72.162.32.3 > >;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; > >;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; ;; > >Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN ;; > >connection timed out; no servers could be reached > > > >> 72.162.32.4 > >;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; > >;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; ;; > >Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN ;; > >connection timed out; no servers could be reached > > > >> 72.162.32.19 > >19.32.162.72.in-addr.arpa name = badmx2.iotis.org. > >> 72.162.32.18 > >18.32.162.72.in-addr.arpa name = badmx.iotis.org. > > > > > > > >_______________________________________________ > >Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >unsubscribe from this list > > > >bind-users mailing list > >bind-users@lists.isc.org > >https://lists.isc.org/mailman/listinfo/bind-users > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
