Did some testing.

From the windows server, did a port scanner on the IPA server (tcp + udp), no blocking between. (tested open).


The IPA has DNSSEC on, but that is for the zones only, right? There is no indication of DNSSEC in the datagrams.

The wireshark in the windows server:

A - The query packet:
-----------------------
Ethernet II, Src: CadmusCo_58:90:cb (08:00:27:58:90:cb), Dst: fe:81:54:e3:7b:03 (fe:81:54:e3:7b:03)
Internet Protocol Version 4, Src: 10.10.24.12, Dst: 10.10.24.9
User Datagram Protocol, Src Port: 54680, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x0006
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        google.com: type A, class IN
            Name: google.com
            [Name Length: 10]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)

B - The response:
-----------------

Frame 10: 222 bytes on wire (1776 bits), 222 bytes captured (1776 bits)
Ethernet II, Src: fe:81:54:e3:7b:03 (fe:81:54:e3:7b:03), Dst: CadmusCo_58:90:cb (08:00:27:58:90:cb)
Internet Protocol Version 4, Src: 10.10.24.9, Dst: 10.10.24.12
User Datagram Protocol, Src Port: 53, Dst Port: 54680
Domain Name System (response)
    [Time: 0.057623000 seconds]
    Transaction ID: 0x0006
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 4
    Additional RRs: 4
    Queries
        google.com: type A, class IN
            Name: google.com
            [Name Length: 10]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        google.com: type A, class IN, addr 216.58.222.14
            Name: google.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 300
            Data length: 4
            Address: 216.58.222.14
    Authoritative nameservers
        google.com: type NS, class IN, ns ns4.google.com
            Name: google.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 6
            Name Server: ns4.google.com
        google.com: type NS, class IN, ns ns1.google.com
            Name: google.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 6
            Name Server: ns1.google.com
        google.com: type NS, class IN, ns ns3.google.com
            Name: google.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 6
            Name Server: ns3.google.com
        google.com: type NS, class IN, ns ns2.google.com
            Name: google.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 6
            Name Server: ns2.google.com
    Additional records
        ns2.google.com: type A, class IN, addr 216.239.34.10
            Name: ns2.google.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 4
            Address: 216.239.34.10
        ns1.google.com: type A, class IN, addr 216.239.32.10
            Name: ns1.google.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 4
            Address: 216.239.32.10
        ns3.google.com: type A, class IN, addr 216.239.36.10
            Name: ns3.google.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 4
            Address: 216.239.36.10
        ns4.google.com: type A, class IN, addr 216.239.38.10
            Name: ns4.google.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172792
            Data length: 4
            Address: 216.239.38.10

-rsd




On 16/01/2017 06:31, Brian Candler wrote:
On 16/01/2017 00:52, Raul Dias wrote:
The  packets are getting back  That has being stablished already.

With Wireshark at the 2008R2 end?

I am looking for possible reasons it would disregard the answer, but accept when using a non-freeipa bind9 one.

Look at wireshark detail on both sets of responses; check for any differences including the flags. You're sure one of the servers isn't answering with a REFUSED answer for example? (That is, one of the bind servers might not allow queries from the source address of the 2008R2 server)

Also compare the bind configs. For example, is DNSSEC enabled in one but not the other?



--
Att. Raul Dias

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to