Cisco 837 not passing UDP traffic properly (was: DNS query problem)

We have a setup of ADSL line -> Cisco 837 ADSL router -> Zyxel ZyWall 35 firewall/NAT -> Switch -> LAN.

It has been fine for years, suddenly DNS resolution stopped working from the LAN to public DNS servers. No changes that I know of, so I can't revert anything.

Current behaviour:

DNS requests from the LAN using TCP show up in the oubound firewall log, in the Cisco debug log, in the dns-server-firewall, in tcpdump on the DNS server, the answer comes back, it works fine.
DNS requests from the LAN using UDP show up in the outbound firewall log, in the Cisco debug log, but does NOT show in the dns-server-firewall, not in tcpdump on the DNS server, times out.
DNS requests from the Cisco using UDP show up in the dns-server-firewall and in tcpdump on the DNS server, answer received, works fine.
netcat connections to port 53 or a random port by TCP show up in the dns-server-firewall
netcat connections to port 53 or a random port by UDP do not show up in the dns-server-firewall

Summary: TCP seems fine throughought. UDP works from the Cisco over the ADSL, and it works from the LAN to the Cisco, but it doesn't seem to cross the Cisco 837 properly. Update: confirmed with netcat that any UDP traffic from the LAN is affected, not just traffic to port 53.

Update: If I change the firewall's external IP to any other IP in the subnet, this starts working. When I put it back, it stops working. I now suspect it's an ISP issue (does that sound plausible?), and am removing the Cisco config.

$ dig @8.8.8.8 example.com +noall +answer +notcp +ignore # udp only example.com. 50270 IN A 192.0.43.10 ;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms $ dig -4 example.com +noall +answer +notcp +ignore # udp only/ipv4 only example.com. 50270 IN A 192.0.43.10 $ dig -6 example.com +noall +answer +notcp +ignore # udp only/ipv6 only example.com. 50270 IN A 192.0.43.10 ;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 29 ms $ dig @8.8.8.8 example.com +noall +answer +tcp # tcp only example.com. 50256 IN A 192.0.43.10 ;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms $ dig -4 example.com +noall +answer +tcp # tcp only/ipv4 only example.com. 50256 IN A 192.0.43.10 ;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms $ dig -6 example.com +noall +answer +tcp # tcp only/ipv6 only example.com. 50256 IN A 192.0.43.10 ;; Received 45 bytes from 8.8.8.8#53(8.8.8.8) in 30 ms

Best Answer

Is it just udp or is tcp also affected?
Are there any IPv4/IPv6 issues (sometimes routers get confused, thou I've seen that only for really cheap ones)

A way to test that would be (using Google DNS servers):

Also:

Do you have a tcpdump
Maybe get some cheap VPS/EC2/Rackspace Instance and open port 53 (netcat is your friend). Test with telnet that you can connect -- just to be sure that your pakets are indeed going beyond your firewall.

Best Answer

Related Solutions

Firewall – Cisco ASA logs “regular translation creation failed for icmp …” for DNS traffic, yet it works

Linux – Are spurious TCP connections on port 53 a problem

Related Topic