i have a vps running with Almalinux 9, DA, DNS and CSF. This is a standard setup, nothing fancy. The server (.21) has multiple ip addresses. One secondairy ip (.33) is configured for the dns server. The issue is that incomming dns requests comming in on the vip, do not go out through the vip. Running tcpdump, there is no reply at all.
Disabling csf completely, solves this problem and the dns reqeusts are returned through the vip.
I tried several things to solve this, but i’m out of options.
Below are some of the things i have tried. Dns server is .33 with gateway .1. Host ip is .21
I use mxtoolbox to test the dns server, which has ip 18.209.86.113
Tcpdump output. Replaced my dns server and domain with mydnsserver.com.
00:21:44.309236 IP (tos 0x0, ttl 118, id 47278, offset 0, flags [none], proto UDP (17), length 55)
18.209.86.113.15521 > x.x.x.33.domain: [udp sum ok] 6070 NS? mydnsserver.com. (27)
00:21:46.518821 IP (tos 0x0, ttl 118, id 47279, offset 0, flags [none], proto UDP (17), length 59)
18.209.86.113.38122 > x.x.x.33.domain: [udp sum ok] 44606 A? ns2.mydnserver.com. (31)
00:21:48.715684 IP (tos 0x0, ttl 118, id 47280, offset 0, flags [none], proto UDP (17), length 55)
18.209.86.113.slinkysearch > x.x.x.33.domain: [udp sum ok] 31614 SOA? mydnsserver.com. (27)
00:21:50.247158 IP (tos 0x0, ttl 118, id 47281, offset 0, flags [none], proto UDP (17), length 55)
18.209.86.113.65096 > x.x.x.33.domain: [udp sum ok] 28103 SOA? mydnsserver.com. (27)
How it should look like, when i disable csf (csf -x). At 00:26:07.553381 you can see the return packet to mxtoolbox.
00:26:07.553208 IP (tos 0x0, ttl 118, id 2115, offset 0, flags [none], proto UDP (17), length 59)
18.209.86.113.29349 > x.x.x.33.domain: [udp sum ok] 59719 A? ns1.mydnsserver.com. (31)
00:26:07.553381 IP (tos 0x0, ttl 64, id 64767, offset 0, flags [none], proto UDP (17), length 241)
x.x.x.33.domain > 18.209.86.113.29349: [bad udp cksum 0xc010 -> 0xb34f!] 59719*- q: A? ns1.mydnsserver.com. 1/3/5 ns1.mydnsserver.com
. A x.x.x.33 ns: mydnsserver.com. NS ns1.mydnsserver.com., mydnsserver.com. NS ns3.mydnsserver.com., mydnsserver.com. NS ns2.mydnsserver.com. ar: ns2.mydnsserver.com.
A x.x.x.151, ns3.mydnsserver.com. A x.x.x.44, ns1.mydnsserver.com. AAAA::33, ns2.mydnsserver.com. AAAA 2a01:7c8:aab4:
397::1, ns3.mydnsserver.com. AAAA::44 (213)
I tried a lot more, but those were just tests.
Who else has this problem and how did you solve with?
We could step over to firewalld or APF with BFD, but we would like to keep using csf, knowing it will EOL some day.
We tested APF by the way and that works flawlessly.
Disabling csf completely, solves this problem and the dns reqeusts are returned through the vip.
I tried several things to solve this, but i’m out of options.
Below are some of the things i have tried. Dns server is .33 with gateway .1. Host ip is .21
I use mxtoolbox to test the dns server, which has ip 18.209.86.113
- I first thought sbout a routing issue. So i set rp_filter on ens192 to 0.
- Tried routing config, works, but no result in dns replies.
- echo "100 dns33" >> /etc/iproute2/rt_tables
- ip route add default via x.x.x.1 dev ens192 src x.x.x.33 table dns33
- ip rule add from x.x.x.33 table dns33
- ip route get 18.209.86.113 from x.x.x.33
18.209.86.113 from x.x.x.33 via x.x.x.1 dev ens192 table dns33 uid 0
- The following csf config have been tried
- Ofcourse double checked dns ports are open (tcp udp)
- Checked lfd so dns is not blocked
- Used a config from an almalinux 8 server with the same services (also dns running)
- Disabled LF_SPI statefull inspection
- Added a manual rule at the top of iptables through to the file csfpost.sh
- Disabling csf with csf -x solved the issue.
Tcpdump output. Replaced my dns server and domain with mydnsserver.com.
00:21:44.309236 IP (tos 0x0, ttl 118, id 47278, offset 0, flags [none], proto UDP (17), length 55)
18.209.86.113.15521 > x.x.x.33.domain: [udp sum ok] 6070 NS? mydnsserver.com. (27)
00:21:46.518821 IP (tos 0x0, ttl 118, id 47279, offset 0, flags [none], proto UDP (17), length 59)
18.209.86.113.38122 > x.x.x.33.domain: [udp sum ok] 44606 A? ns2.mydnserver.com. (31)
00:21:48.715684 IP (tos 0x0, ttl 118, id 47280, offset 0, flags [none], proto UDP (17), length 55)
18.209.86.113.slinkysearch > x.x.x.33.domain: [udp sum ok] 31614 SOA? mydnsserver.com. (27)
00:21:50.247158 IP (tos 0x0, ttl 118, id 47281, offset 0, flags [none], proto UDP (17), length 55)
18.209.86.113.65096 > x.x.x.33.domain: [udp sum ok] 28103 SOA? mydnsserver.com. (27)
How it should look like, when i disable csf (csf -x). At 00:26:07.553381 you can see the return packet to mxtoolbox.
00:26:07.553208 IP (tos 0x0, ttl 118, id 2115, offset 0, flags [none], proto UDP (17), length 59)
18.209.86.113.29349 > x.x.x.33.domain: [udp sum ok] 59719 A? ns1.mydnsserver.com. (31)
00:26:07.553381 IP (tos 0x0, ttl 64, id 64767, offset 0, flags [none], proto UDP (17), length 241)
x.x.x.33.domain > 18.209.86.113.29349: [bad udp cksum 0xc010 -> 0xb34f!] 59719*- q: A? ns1.mydnsserver.com. 1/3/5 ns1.mydnsserver.com
. A x.x.x.33 ns: mydnsserver.com. NS ns1.mydnsserver.com., mydnsserver.com. NS ns3.mydnsserver.com., mydnsserver.com. NS ns2.mydnsserver.com. ar: ns2.mydnsserver.com.
A x.x.x.151, ns3.mydnsserver.com. A x.x.x.44, ns1.mydnsserver.com. AAAA::33, ns2.mydnsserver.com. AAAA 2a01:7c8:aab4:
397::1, ns3.mydnsserver.com. AAAA::44 (213)
I tried a lot more, but those were just tests.
Who else has this problem and how did you solve with?
We could step over to firewalld or APF with BFD, but we would like to keep using csf, knowing it will EOL some day.
We tested APF by the way and that works flawlessly.
Last edited:
