From nobody@FreeBSD.org  Mon Oct 28 08:05:35 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 69BF237B401
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Oct 2002 08:05:35 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 043A443E4A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Oct 2002 08:05:34 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g9SG5Y7R053152
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Oct 2002 08:05:34 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.6/8.12.6/Submit) id g9SG5YjI053151;
	Mon, 28 Oct 2002 08:05:34 -0800 (PST)
Message-Id: <200210281605.g9SG5YjI053151@www.freebsd.org>
Date: Mon, 28 Oct 2002 08:05:34 -0800 (PST)
From: Bruce Patin <bpatin@padecs.riss.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftp behind VPN server fails host name lookup
X-Send-Pr-Version: www-1.0

>Number:         44570
>Category:       bin
>Synopsis:       ftp behind VPN server fails host name lookup
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 28 08:10:06 PST 2002
>Closed-Date:    Tue Jul 15 10:17:53 PDT 2003
>Last-Modified:  Tue Jul 15 10:17:53 PDT 2003
>Originator:     Bruce Patin
>Release:        4.2, 4.3, 4.7
>Organization:
PADECS/MAGLOCLEN
>Environment:
FreeBSD padecstst.padecs.net 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Wed Oct  9 15:08:34 GMT 2002     root@builder.freebsdmall.com:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
ftp to ftp.perl.org gets back the message "No address associated with hostname".  There is no problem connecting to at least one other private ftp site on the Internet.  There is no problem with nslookup to ftp.perl.org. ftp to ftp.perl.org works for linux and windows ftp installed on the affected machine at the same IP address.  If my machine needs to have a reverse lookup, that will not be possible, due to the VPN.
>How-To-Repeat:
Put yourself behind a NAT firewall and/or a SmartGate VPN server with IP address 10.12.55.4 and try to ftp to ftp.perl.org.
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Sat Jul 12 23:46:45 PDT 2003 
State-Changed-Why:  
Can you please obtain a tcpdump trace showing the TCP traffic 
made by the ftp client (particularly the DNS requests)? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44570 

From: Kris Kennaway <kris@obsecurity.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: [bpatin@padecs.riss.net: Re: bin/44570: ftp behind VPN server fails host name lookup]
Date: Mon, 14 Jul 2003 14:32:49 -0700

 Adding to audit trail
 
 ----- Forwarded message from Bruce Patin <bpatin@padecs.riss.net> -----
 
 X-Original-To: kkenn@localhost
 Delivered-To: kkenn@localhost.obsecurity.org
 X-Originating-IP: [128.125.38.123]
 Delivered-To: kris@freebsd.org
 From: "Bruce Patin" <bpatin@padecs.riss.net>
 To: "Kris Kennaway" <kris@freebsd.org>
 Subject: Re: bin/44570: ftp behind VPN server fails host name lookup
 Date: Mon, 14 Jul 2003 13:47:26 -0400
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 X-RISSTag-Status-GTWY: Yes
 X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.13.7.2
 
 Attached is the console output of the tcpdump.
 BTW I am no longer behind a NAT, just a firewall.
 If you want a more detailed or binary dump, let me know.
 
 ----- Original Message ----- 
 From: "Kris Kennaway" <kris@FreeBSD.org>
 To: <bpatin@padecs.riss.net>; <kris@FreeBSD.org>; <freebsd-bugs@FreeBSD.org>
 Sent: Sunday, July 13, 2003 2:47 AM
 Subject: Re: bin/44570: ftp behind VPN server fails host name lookup
 
 
 Synopsis: ftp behind VPN server fails host name lookup
 
 State-Changed-From-To: open->feedback
 State-Changed-By: kris
 State-Changed-When: Sat Jul 12 23:46:45 PDT 2003
 State-Changed-Why: 
 Can you please obtain a tcpdump trace showing the TCP traffic
 made by the ftp client (particularly the DNS requests)?
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=44570
 
 
 
 ----- End forwarded message -----
 
 
 13:04:32.454520 padecstst.padecs.net.3718 > magloclenwall-in.riss.net.domain:  35652+ AAAA? ftp.perl.org. (30)
 13:04:32.497985 padecstst.padecs.net.3719 > magloclenwall-in.riss.net.domain:  62155+ PTR?
 +1.5.12.10.in-addr.arpa. (40)
 13:04:32.498249 magloclenwall-in.riss.net.domain > padecstst.padecs.net.3719:  62155 1/1/1 PTR[|domain] (DF)
 13:04:32.710686 magloclenwall-in.riss.net.domain > padecstst.padecs.net.3718:  35652 NXDomain 1/0/0
 +CNAME[|domain] (DF)
 13:04:32.710832 padecstst.padecs.net.3720 > magloclenwall-in.riss.net.domain:  35653+ A? ftp.perl.org. (30)
 13:04:32.711044 magloclenwall-in.riss.net.domain > padecstst.padecs.net.3720:  35653 NXDomain 1/0/0
 +CNAME[|domain] (DF)
 13:04:32.711124 padecstst.padecs.net.3721 > magloclenwall-in.riss.net.domain:  35654+ AAAA?
 +ftp.perl.org.padecs.net. (41)
 13:04:32.711335 magloclenwall-in.riss.net.domain > padecstst.padecs.net.3721:  35654 NXDomain 0/1/0 (117) (DF)
 13:04:32.711389 padecstst.padecs.net.3722 > magloclenwall-in.riss.net.domain:  35655+ A?
 +ftp.perl.org.padecs.net. (41)
 13:04:32.711588 magloclenwall-in.riss.net.domain > padecstst.padecs.net.3722:  35655 NXDomain 0/1/0 (117) (DF)
 
State-Changed-From-To: feedback->closed 
State-Changed-By: dwmalone 
State-Changed-When: Tue Jul 15 10:12:45 PDT 2003 
State-Changed-Why:  
This seems to be a bug in the name servers at the other end. 

ftp.perl.org is an alias for ftp.cpan.ddns.develooper.com. The DNS 
servers for that domain seem to be 142.132.1.82, 193.111.120.45 and 
64.70.54.97. 

The first of these doesn't respond. The other two claim that the 
domain ftp.cpan.ddns.develooper.com doesn't exist if you ask them 
for a AAAA record, but claims it does exist if you ask it for an A 
record. Your local name server is caching the "doesn't exist" 
response from the AAAA record. 

You need to ask the people who run these name servers to fix them 
so it returns 0 records when asked for a AAAA record, rather than 
"no such domain". (See the dig commands below for the wrong and 
right responses...) 

David. 

% dig AAAA ftp.cpan.ddns.develooper.com @193.111.120.45 | fgrep status 
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24551 
% dig A ftp.cpan.ddns.develooper.com @193.111.120.45 | fgrep status 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61084 
% dig AAAA ftp.cpan.ddns.develooper.com @64.70.54.97 | fgrep status 
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62794 
% dig A ftp.cpan.ddns.develooper.com @64.70.54.97 | fgrep status 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58525 

% dig AAAA freefall.freebsd.org @216.136.204.126 | fgrep status 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54053 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44570 
>Unformatted:
