Print Story AskHuSi: Google DNS
Help!
By FlightTest (Sun Jan 03, 2010 at 10:49:09 PM EST) Google, DNS, pf (all tags)
I changed my DNS pointers to teh Google DNS.  Now, I seem to be getting poked by Google.


I run a local DNS server on FreeBSD (named) and have set forward only, it's a pretty basic setup, just modifying the provided named.conf for my usage.   I previously used OpenDNS (no account) and had no trouble (I switched because I didn't like the redirects from bad lookups and didn't want to get a stupid account with them).  Now I've pointed forwarders and resolv.conf (via dhclient.conf) to Google DNS and my firewall (pf) is reporting the following through the kernel log (actually I'm assuming it's pf since that's what's denying the connection);

+Connection attempt to UDP $MYIP:63129 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:60970 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:53864 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:53387 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:55435 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:57458 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:50597 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:54709 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:58306 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:59812 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:50531 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:52678 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:58373 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:62063 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:62996 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:58182 from 8.8.4.4:53
+Connection attempt to UDP $MYIP:60398 from 8.8.8.8:53
+Connection attempt to UDP $MYIP:54679 from 8.8.4.4:53

and on and on and on.

So, um, what is it doing?  Have I mis-configured something somewhere?  Like I said I didn't get these messages when pointed at OpenDNS.  My problem is while I can follow a man page or HowTo, I don't necessarily understand how all the bits play together.

Thanks!
< A few pictures. | Happy New Year, Folks >
AskHuSi: Google DNS | 5 comments (5 topical, 0 hidden) | Trackback
My guess... by chuckles (4.00 / 1) #1 Mon Jan 04, 2010 at 02:24:51 AM EST

You need to add a firewall rule allowing Google's DNS servers to send traffic to you from port 53/UDP to >1023/UDP.

Or see if you can query Google's DNS servers on port 53/TCP.

My guess is that you were querying OpenDNS on port 53/TCP, and your firewall happily allowed OpenDNS' responses back to you. You are now querying Google on port 53/UDP. UDP is connectionless and has more potential for mischief. Your firewall might be configured to block all incoming UDP traffic (a reasonable precaution).



"The one absolutely certain way of bringing this nation to ruin [...] would be to permit it to become a tangle of squabbling nationalities"
Hrmmmm by FlightTest (2.00 / 0) #4 Mon Jan 04, 2010 at 12:06:41 PM EST
But all I did was change the IPs from OpenDNS's servers to Google's servers.  Why would named suddenly decide to change the protocol it was using to query the upstream DNS?


[ Parent ]
These are responses by thunderbee (4.00 / 2) #2 Mon Jan 04, 2010 at 02:40:02 AM EST
from port 53 to the query port.
Query source port is randomized by your DNS to avoid cache poisoning.

Okay.... by FlightTest (2.00 / 0) #3 Mon Jan 04, 2010 at 12:01:05 PM EST
So why wasn't I getting these responses with OpenDNS?  I presume some difference in the way OpenDNS runs their DNS severs vs. the way Google does?


[ Parent ]
I don't use either by thunderbee (2.00 / 0) #5 Thu Jan 07, 2010 at 02:27:08 AM EST
What I noticed though is that this behavior goes with the update about the cache poisoning.
DNSes that used to work (that is master DNS, not caching) without rules for these high random ports failed after the upgrade.
Maybe openDNS is still working the old-fashioned way and google is not? I'm not using either so I can't really say.

I'm no DNS expert, I just make them work; the subtleties escape me :)

[ Parent ]
AskHuSi: Google DNS | 5 comments (5 topical, 0 hidden) | Trackback