client error sending response: host unreachable

jjma

jjma

Verified User
Joined
Mar 29, 2004
Messages
275
Location
Edinburgh,Scotland
Getting these strange errors in named log file:

Nov 06 13:15:39.104 client: client 66.230.157.20#4677: error sending response: host unreachable

and other ip addresses.

If I turn of the firewall (apf) they disappear. I don't have egress settings turned on and allow icmp in and out and port 53 allowed.

Any help?

Jon
 
Yes and no. I'm not entirely sure I understand the error having 'googled' it but the nameserver works - checked dnsreport.com.

Watching firewall logs for clues...

Jon
 
A couple of lines pulled out of the firewall:

[root@ns1 root]# grep '58.69.254.4' /var/log/*

Nov 7 09:09:59 ns1 kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=OURNAMESERVER DST=58.69.254.4 LEN=273 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=5 LEN=253

Nov 7 09:10:01 ns1 kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=OURNAMESERVER DST=58.69.254.4 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=5 LEN=125

[root@ns1 root]# grep '193.41.16.26' /var/log/*

Nov 7 09:12:15 ns1 kernel: ** OUT_UDP DROP ** IN= OUT=eth0 SRC=OUR NAMESERVER DST=193.41.16.26 LEN=280 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=36 LEN=260

The packet's destination port for the first query is destination port 5 which appears to be "Remote Job Entry".

The packet's destination port for the second query is destination port 36 which is unamed.

A few threads elsewhere suggest adding "query source" option in named i.e

query-source address * port 53;

which would allow simplier firewall configuration?

Not sure as whether this will break other things like transfers,etc..

any thoughts

Jon
 
I don't know what firewall you're using. We use kiss and simply allow incoming and outgoing port 53 traffic both udp and tcp.

Jeff
 
I get a few of these crazy "error sending response: host unreachable"
I use KISS and it seems to only happen if I reboot the server.
KISS doesn't auto start, so it would be what ever is base rules, if any
thou it does cause a bit of puzzle and possible concern :confused:
I Google'd too and didn't see much.
 
AndyII said:
I get a few of these crazy "error sending response: host unreachable"
I use KISS and it seems to only happen if I reboot the server.
KISS doesn't auto start, so it would be what ever is base rules, if any
thou it does cause a bit of puzzle and possible concern :confused:
I Google'd too and didn't see much.
Click to expand...
Why not put KISS into your rc.local file? It works similarly to how a DOS autoexec.bat file works.

There are no base rules by default. It depends on what was set up when the OS was installed. For example, CentOS asks you if you want the firewall turned on, and if so, it gives you a few default entries and lets you add others.

On CentOS and RedHat Enterprise, the list is stored in /etc/sysconfig/iptables.

Don't play with it unless you know what you're doing.

Jeff
 
I forgot to add that KISS, when it starts, will first erase whatever rules are in place, so as long as you're starting KISS the default rules you set up when you do the install will only last a few seconds.

Some firewalls take five or more minutes to start, so if you break them you can reboot your server and get in before they take over. Others have a configuration option which turns them off in a few minutes if the config option is set.

I don't use either of these for several reasons:

1) I test all firewall rules by trying to log in once I restart the firewall, before I close the ssh connection already open (generally works unless you're unfortunate enough to have accidentally set up a rule that doesn't allow existing handshakes to continue).

2) KISS, which I almost exclusively use, though occasionally with major modifications, is generallly fairly safe unless you make modfications you don't understand.

3) I generally leave our eth1 network as trusted, and I've got a private network set up in our DC.

Jeff



Jeff
 
You must log in or register to reply here.
Back
Top