Home / server / Questions / 282304
In Process
TessellatingHeckler
Asked: 2011-06-21 10:22:43 +0800 CST

Cisco 837 not passing UDP traffic properly (was: DNS query problem)

  • 772

We have a setup of ADSL line -> Cisco 837 ADSL router -> Zyxel ZyWall 35 firewall/NAT -> Switch -> LAN.

It has been fine for years, suddenly DNS resolution stopped working from the LAN to public DNS servers. No changes that I know of, so I can't revert anything.

Current behaviour:

  • DNS requests from the LAN using TCP show up in the oubound firewall log, in the Cisco debug log, in the dns-server-firewall, in tcpdump on the DNS server, the answer comes back, it works fine.
  • DNS requests from the LAN using UDP show up in the outbound firewall log, in the Cisco debug log, but does NOT show in the dns-server-firewall, not in tcpdump on the DNS server, times out.
  • DNS requests from the Cisco using UDP show up in the dns-server-firewall and in tcpdump on the DNS server, answer received, works fine.
  • netcat connections to port 53 or a random port by TCP show up in the dns-server-firewall
  • netcat connections to port 53 or a random port by UDP do not show up in the dns-server-firewall

Summary: TCP seems fine throughought. UDP works from the Cisco over the ADSL, and it works from the LAN to the Cisco, but it doesn't seem to cross the Cisco 837 properly. Update: confirmed with netcat that any UDP traffic from the LAN is affected, not just traffic to port 53.

Update: If I change the firewall's external IP to any other IP in the subnet, this starts working. When I put it back, it stops working. I now suspect it's an ISP issue (does that sound plausible?), and am removing the Cisco config.

domain-name-system networking cisco tcp zyxel

3 Answers

    • Is it just udp or is tcp also affected?
    • Are there any IPv4/IPv6 issues (sometimes routers get confused, thou I've seen that only for really cheap ones)

    A way to test that would be (using Google DNS servers):

    $ dig @8.8.8.8 example.com +noall +answer +notcp +ignore # udp only
example.com.        50270   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms

$ dig -4 example.com +noall +answer +notcp +ignore # udp only/ipv4 only
example.com.        50270   IN  A   192.0.43.10

$ dig -6 example.com +noall +answer +notcp +ignore # udp only/ipv6 only
example.com.        50270   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms

$ dig @8.8.8.8 example.com +noall +answer +tcp # tcp only
example.com.        50256   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

$ dig -4 example.com +noall +answer +tcp # tcp only/ipv4 only
example.com.        50256   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

$ dig -6 example.com +noall +answer +tcp # tcp only/ipv6 only
example.com.        50256   IN  A   192.0.43.10
;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

    Also:

    • Do you have a tcpdump
    • Maybe get some cheap VPS/EC2/Rackspace Instance and open port 53 (netcat is your friend). Test with telnet that you can connect -- just to be sure that your pakets are indeed going beyond your firewall.
    • 1

  2. 1 first start by unplugging both and plugging them back in. Check the gateway setting on the Zyxel and make sure it is pointed to the cisco DSL. Then check to make sure the port in administratively up on the cisco router. Then check to make sure that the ACL on the cisco router will allow the Zyxel to connect to it. Ping the cisco router from the zyxel, any response. Has anything changed recently? Firmware, restore, anything?

    • 0

  3. There's actually a nice article on Google Code that covers troubleshooting DNS issue with them.

    You might want to test another DNS, for example your ISP's DNS or OpenDNS.

    I have a feeling your Firewall is unable to reach 8.8.8.8.

    • 0