Hi Tong, Le Sat, 9 Jul 2016 16:17:45 +0000 (UTC) T o n g <mlist4sunt...@yahoo.com> a écrit:
> $ dig cnn.com > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> cnn.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56353 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1280 > ;; QUESTION SECTION: > ;cnn.com. IN A > > ;; ANSWER SECTION: > cnn.com. 65 IN A 157.166.226.26 > cnn.com. 65 IN A 157.166.226.25 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sat Jul 09 16:14:34 UTC 2016 > ;; MSG SIZE rcvd: 68 OK, so dnsmasq is running locally on UDP > > 3. What does iptables-save display? > > $ sudo iptables-save > # Generated by iptables-save v1.6.0 on Sat Jul 9 16:08:46 2016 > *filter > :INPUT ACCEPT [990:208464] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1019:100580] > :f2b-sshd - [0:0] > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A INPUT -p udp -m udp --dport 68 -j ACCEPT > -A f2b-sshd -j RETURN > COMMIT > # Completed on Sat Jul 9 16:08:46 2016 > > I believe this is the standard setting from fail2ban because I have > fail2ban_0.9.3-1 installed (and nothing else related). OK, so no blocking at your box level except for what fail2ban may decide to block. Now we're faily sure your probelm is with either your ISP or your hosting provider. Regarding running the DNS on TCP alone: problem is, you might force the dig command to use TCP, but that's a specific case; all DNS resolutions happening on your machine in any other process that dug will keep on trying UDP first when the request size warrants it, because that's the standard. Amicalement, -- Albert. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
