Hi all!
I am trying to set unbound by following the handbook (I am running FreeBSD 10.0-RELEASE-p9). When I run
My pf.conf is very simple:
The output of
And the output of
From where we can see that there seems to be a problem with state keeping on the last sent packet from my IP (from port 57025), since its reply gets blocked from pf.
I suspect this must be a packet size issue, since the reply size (1500 bytes) is - I think - the max-limit of DNS UDP packets, but I am not sure, nor do I know how to resolve this problem.
Thank you all for your time in advance!
I am trying to set unbound by following the handbook (I am running FreeBSD 10.0-RELEASE-p9). When I run
drill -S FreeBSD.org @8.8.8.8
using Google's DNS servers and have pf on, the DNSKEY response is blocked by pf. When pf is off, the query works just fine.My pf.conf is very simple:
Code:
block drop log all
pass out quick on em0 inet from $my_ip to any keep state
The output of
tcpdump -netvi em0 host 8.8.8.8
shows:
Code:
de:ad:be:ef > de:ad:ba:be, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 11059, offset 0, flags [none], proto UDP (17), length 68)
1.2.3.4.56508 > 8.8.8.8.53: 57191+% [1au] A? freebsd.org. (40)
de:ad:ba:be > de:ad:be:ef, ethertype IPv4 (0x0800), length 397: (tos 0x0, ttl 49, id 20525, offset 0, flags [none], proto UDP (17), length 383)
8.8.8.8.53 > 1.2.3.4.56508: 57191$ 2/0/1 freebsd.org. A 8.8.178.110, freebsd.org. RRSIG (355)
de:ad:be:ef > de:ad:ba:be, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 11060, offset 0, flags [none], proto UDP (17), length 68)
1.2.3.4.51805 > 8.8.8.8.53: 16063+% [1au] DNSKEY? freebsd.org. (40)
de:ad:ba:be > de:ad:be:ef, ethertype IPv4 (0x0800), length 933: (tos 0x0, ttl 49, id 11762, offset 0, flags [none], proto UDP (17), length 919)
8.8.8.8.53 > 1.2.3.4.51805: 16063$ 3/0/1 freebsd.org. DNSKEY, freebsd.org. DNSKEY, freebsd.org. RRSIG (891)
de:ad:be:ef > de:ad:ba:be, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 11062, offset 0, flags [none], proto UDP (17), length 68)
1.2.3.4.59486 > 8.8.8.8.53: 31828+% [1au] DS? freebsd.org. (40)
de:ad:ba:be > de:ad:be:ef, ethertype IPv4 (0x0800), length 293: (tos 0x0, ttl 49, id 26672, offset 0, flags [none], proto UDP (17), length 279)
8.8.8.8.53 > 1.2.3.4.59486: 31828$ 2/0/1 freebsd.org. DS, freebsd.org. RRSIG (251)
de:ad:be:ef > de:ad:ba:be, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 11063, offset 0, flags [none], proto UDP (17), length 60)
1.2.3.4.57025 > 8.8.8.8.53: 56542+% [1au] DNSKEY? org. (32)
de:ad:ba:be > de:ad:be:ef, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 49, id 31833, offset 0, flags [+], proto UDP (17), length 1500)
8.8.8.8.53 > 1.2.3.4.57025: 56542$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
de:ad:ba:be > de:ad:be:ef, ethertype IPv4 (0x0800), length 187: (tos 0x0, ttl 49, id 31833, offset 1480, flags [none], proto UDP (17), length 173)
8.8.8.8 > 1.2.3.4: ip-proto-17
And the output of
tcpdump -netvi pflog0 host 8.8.8.8
shows:
Code:
rule 0..16777216/0(match): block in on em0: (tos 0x0, ttl 49, id 31833, offset 0, flags [+], proto UDP (17), length 1500)
8.8.8.8.53 > 1.2.3.4.57025: 56542$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
rule 0..16777216/0(match): block in on em0: (tos 0x0, ttl 49, id 31833, offset 1480, flags [none], proto UDP (17), length 173)
8.8.8.8 > 1.2.3.4: ip-proto-17
I suspect this must be a packet size issue, since the reply size (1500 bytes) is - I think - the max-limit of DNS UDP packets, but I am not sure, nor do I know how to resolve this problem.
Thank you all for your time in advance!