topic Re: DNS packets in drop stage, but i can see the same packet in transmit stage and DNS server response as well. in General Topics

DNS packets in drop stage, but i can see the same packet in transmit stage and DNS server response as well.

Abdul_Razaq — Thu, 20 May 2021 06:27:39 GMT

Hi Community

I am seeing a strange behavior with DNS traffic. I tried to resolve some FQDns which work fine (those are public fqdns). But when I do the packet capture, I can see the same packets in transmit and drop stage. By comparing the tcp port and dns transaction id, i can see those packets sent only once by end machine and the same in both transmit and drop stage. Even i can see the DNS server is responding with the IP address and from end machine, the fqdn is resolved. I am trying to figure out why the packet in drop stage as it causes confition. Also this is not happening always, this is very random.

I even tried floe capture, in flow capture I cannot see the drop, in fact there is a gap in flow capture at the time of transmitting and drop time(which means i cannot see this transmit and drop in the flow capture).

Re: DNS packets in drop stage, but i can see the same packet in transmit stage and DNS server response as well.

reaper — Thu, 20 May 2021 07:26:13 GMT

packet-diag logging is not stateful (it does account for NAT), so for a flow basic you need to add filters that account for both flows, and also add a filter for 'stray' packets in case the packet is discarded because the firewall can't match it to a session

I usually filter like this:

1. privsrc-pubdest-destport

2. pubdest -pubsrc-srcport

3. pubdest-privsrc-srcport

did you check the global counters for drops ? (retry global counters with the above filters as well, in case a packet arrives 'out of window')

Re: DNS packets in drop stage, but i can see the same packet in transmit stage and DNS server response as well.

Abdul_Razaq — Thu, 20 May 2021 07:47:06 GMT

Hi @reaper ,

Packet diag is set accounting for the NAT as well. As mentioned, I can see the dropped NATed packet.

Strange thing is i can see the same packet in transmit stage to ISP ( compared dns id and source port and destination mac to confirm it is going to ISP). The public DNS is responding to the query successfully and the client is resolving the fqdn.. Just not sure why the packet in the drop stage when it actually indicates the packet went through.

I was able to see some counters like 'DNS packet drops while waiting' not sure if it is related ( as I have capture filter for fw_public ip to dns, it will include other clients requests as well)