Subject: Re: unbound fails to do reverse look ups Date: Sat, Oct 18, 2025 at 05:23:14PM +0200 Quoting Carlo Wood via Unbound-users ([email protected]): > Any ideas?
The DNS firewall blocks DNS traffic via TCP but not UDP If I had a Eurocent every time a stupid firewall admin does that, I could devote all my time to answering questions on mailing lists pro bono! :-) . Since the refusing reply arrives fast, it probably is in the form of a ICMP unreachable. Looking at traffic on the machine while asking the question, using a tool like tcpdump and writing to file, to filter in Wireshark later, probably is the best way to check this hypothesis. What you are looking for is a TCP RST or ICMP unreach packet, and it just might, if it is a ICMP one, contain the ip address of the offender. My speculation here is that you normally don't end up with large answers that trigger re-query over TCP (when the reply is large enough so as to trigger the Truncated bit being set and most resolver servers re-query via TCP when this happens.) except when you look up reverses which are signed. And the /8 delegations to RIR infrastructure typically are signed. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 Yow! And then we could sit on the hoods of cars at stop lights!
signature.asc
Description: PGP signature
