reverse-dns. telnet works, ftp does not

reverse-dns. telnet works, ftp does not

Post by Dave Marot » Sun, 06 Jan 2002 06:21:11



Hello,

I've been fighting with my machine for about a year now =)  If I telnet to it,
it gets right in.  If I ftp to the machine, it sits for a little while before
letting me in (reverse-dnsing, then sometimes timing out).

The box serves as a firewall, and a DNS.  Why would telnet work, but ftp fail
(the reverse-lookup part)?

Could it be something to do with my firewall? (iptables)  If so, what should I
be looking for.  I have 53 open for DNS queries, and the telnet and ftp ports
as well.

--
+-----------------------------+----------------------------------------------+
| Dave Marotti                | Looking for a Visio alternative for *nix?    |
| lndshark ! speakeasy net    | Kivio : http://thekompany.com/projects/kivio |
+-----------------------------+----------------------------------------------+
| I just don't trust anything | I suppose that in a few more hours I will    |
| that bleeds for 5 days and  | sober up. That's such a sad thought. I think |
| doesn't die. - Mr. Garrison | I'll have a few more drinks to prepare myself|
+-----------------------------+----------------------------------------------+

 
 
 

reverse-dns. telnet works, ftp does not

Post by $uRoo » Sun, 06 Jan 2002 10:05:26



Quote:> Hello,

> I've been fighting with my machine for about a year now =)  If I telnet to
it,
> it gets right in.  If I ftp to the machine, it sits for a little while
before
> letting me in (reverse-dnsing, then sometimes timing out).

> The box serves as a firewall, and a DNS.  Why would telnet work, but ftp
fail
> (the reverse-lookup part)?

> Could it be something to do with my firewall? (iptables)  If so, what
should I
> be looking for.  I have 53 open for DNS queries, and the telnet and ftp
ports
> as well.

Make sure you have valid entries in /etc/hosts for the machines you're
trying to connect from.  That should do it.

 
 
 

reverse-dns. telnet works, ftp does not

Post by Dean Thompso » Tue, 08 Jan 2002 09:22:32


Hi!,

Quote:> I've been fighting with my machine for about a year now =)  If I telnet to
> it, it gets right in.  If I ftp to the machine, it sits for a little while
> before letting me in (reverse-dnsing, then sometimes timing out).

> The box serves as a firewall, and a DNS.  Why would telnet work, but ftp
> fail (the reverse-lookup part)?

The first question would be whether or not a reverse-DNS entry exists for your
machine.  By the sounds of it, it doesn't.  I would also suspect that you have
an entry in your /etc/hosts file which telnet uses and hence this is why you
can log into your system, but FTP doesn't use the /etc/hosts file to perform
its reverse lookup.  It instead goes to the DNS server and tries to find out
the information from there.

There are three options open to you:
  * Install a small DNS internally, which will resolve the reverse lookup
  * Recompile the FTP daemon with NODNS support.  It can be done by changing
     a line in the code
  * For xinetd users, it has been reported that sometimes you can get around
     the problem by removing the HOSTID and/or USERID entries out of the
     logging process.  Personally, I don't think this will chance too much,
     because it is the FTP daemon which does the work, but you can always
     give it a shot and see what happens
  * Get another FTP server which doesn't perform reverse DNS or allows it to
     check the /etc/hosts file first

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

reverse-dns. telnet works, ftp does not

Post by Dave Marot » Wed, 09 Jan 2002 08:53:21


Hey Dean,

Well, I do run a DNS, and the reverse lookup on my machines that I manage works
properly.

HOWEVER, I do believe this is a firewall issue and I'm not quite sure how to
start resolving it.  I took down the firewall and set the default policy to
ACCEPT for all iptable's chains.  Then I tried to ftp, and it was INSTANT.  If
I put it back up, it takes around 45-60 seconds.

Do you have any idea what ports I should start messing with?  I currently have
rules to allow port 53 (dns as far as I know) connections.

I'm not sure if this is helpful at all, but here are are the relevent iptable
commands:

    EXTERNAL_INTERFACE is the inteface which leads to the internet
    ANYWHERE is any/0
    IPADDR is the ipaddress of my server
    UNPRIVPORTS is 1024:65535

    # DNS Queries Between Servers
    # ---------------------------
    $IPTABLES -A INPUT  -i $EXTERNAL_INTERFACE -p udp  \
             -s $ANYWHERE --sport $UNPRIVPORTS \
             -d $IPADDR --dport 53 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR --sport 53 \
             -d $ANYWHERE --dport $UNPRIVPORTS -j ACCEPT

    # DNS Queries Between Servers with Long Replies
    # ---------------------------------------------
    $IPTABLES -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  \
             -s $ANYWHERE --sport $UNPRIVPORTS \
             -d $IPADDR --dport 53 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR --sport 53 \
             -d $ANYWHERE --dport $UNPRIVPORTS -j ACCEPT    

    # DNS Client Queries
    # ------------------
    $IPTABLES -A INPUT  -i $EXTERNAL_INTERFACE -p udp  \
             -s $ANYWHERE --sport $UNPRIVPORTS \
             -d $IPADDR --dport 53 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR --sport 53 \
             -d $ANYWHERE --dport $UNPRIVPORTS -j ACCEPT

    # DNS Client Queries with long Replies
    # ------------------------------------
    $IPTABLES -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  \
             -s $ANYWHERE --sport $UNPRIVPORTS \
             -d $IPADDR --dport 53 -j ACCEPT

    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR --sport 53 \
             -d $ANYWHERE --dport $UNPRIVPORTS -j ACCEPT

    # DNS client (53)
    # ---------------
    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR --sport $UNPRIVPORTS \
             -d $ANYWHERE --dport 53 -j ACCEPT

    $IPTABLES -A INPUT  -i $EXTERNAL_INTERFACE -p udp  \
             -s $ANYWHERE --sport 53 \
             -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT

    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR --sport $UNPRIVPORTS \
             -d $ANYWHERE --dport 53 -j ACCEPT

    $IPTABLES -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  ! --syn \
             -s $ANYWHERE --sport 53 \
             -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT

Thanks alot for your time.  I'm kind of dead in the water on this issue.

-dave

>Hi!,

>> I've been fighting with my machine for about a year now =)  If I telnet to
>> it, it gets right in.  If I ftp to the machine, it sits for a little while
>> before letting me in (reverse-dnsing, then sometimes timing out).

>> The box serves as a firewall, and a DNS.  Why would telnet work, but ftp
>> fail (the reverse-lookup part)?

>The first question would be whether or not a reverse-DNS entry exists for your
>machine.  By the sounds of it, it doesn't.  I would also suspect that you have
>an entry in your /etc/hosts file which telnet uses and hence this is why you
>can log into your system, but FTP doesn't use the /etc/hosts file to perform
>its reverse lookup.  It instead goes to the DNS server and tries to find out
>the information from there.

>There are three options open to you:
>  * Install a small DNS internally, which will resolve the reverse lookup
>  * Recompile the FTP daemon with NODNS support.  It can be done by changing
>     a line in the code
>  * For xinetd users, it has been reported that sometimes you can get around
>     the problem by removing the HOSTID and/or USERID entries out of the
>     logging process.  Personally, I don't think this will chance too much,
>     because it is the FTP daemon which does the work, but you can always
>     give it a shot and see what happens
>  * Get another FTP server which doesn't perform reverse DNS or allows it to
>     check the /etc/hosts file first

>See ya

>Dean Thompson

>--
>+____________________________+____________________________________________+

>| Bach. Computing (Hons)     | ICQ     - 45191180                         |
>| PhD Student                | Office  - <Off-Campus>                     |
>| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
>| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
>| Melbourne, Australia       |                                            |
>+----------------------------+--------------------------------------------+

--
+-----------------------------+----------------------------------------------+
| Dave Marotti                | Looking for a Visio alternative for *nix?    |
| lndshark ! speakeasy net    | Kivio : http://thekompany.com/projects/kivio |
+-----------------------------+----------------------------------------------+
| I just don't trust anything | I suppose that in a few more hours I will    |
| that bleeds for 5 days and  | sober up. That's such a sad thought. I think |
| doesn't die. - Mr. Garrison | I'll have a few more drinks to prepare myself|
+-----------------------------+----------------------------------------------+
 
 
 

reverse-dns. telnet works, ftp does not

Post by Dean Thompso » Thu, 10 Jan 2002 22:55:48


Hi!,

Quote:> Well, I do run a DNS, and the reverse lookup on my machines that I manage
> works properly.

> HOWEVER, I do believe this is a firewall issue and I'm not quite sure how
> to start resolving it.  I took down the firewall and set the default policy
> to ACCEPT for all iptable's chains.  Then I tried to ftp, and it was
> INSTANT.  If I put it back up, it takes around 45-60 seconds.

> Do you have any idea what ports I should start messing with?  I currently
> have rules to allow port 53 (dns as far as I know) connections.

The best thing I can suggest is put a "LOG" on all the packets that you reject
and see what you can find out.  It would seem to me that there is a packet
somewhere which should probably be allowed out which isn't getting there and
hence is being rejected or denied.

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

reverse-dns. telnet works, ftp does not

Post by Dave Marot » Fri, 11 Jan 2002 04:30:16


Hrmmm... I'll see if I can figure it out.  I need to redo my firewall script
anyway.  Thx for the advice.

-dave

Quote:>The best thing I can suggest is put a "LOG" on all the packets that you reject
>and see what you can find out.  It would seem to me that there is a packet
>somewhere which should probably be allowed out which isn't getting there and
>hence is being rejected or denied.

--
+-----------------------------+----------------------------------------------+
| Dave Marotti                | Looking for a Visio alternative for *nix?    |
| lndshark ! speakeasy net    | Kivio : http://thekompany.com/projects/kivio |
+-----------------------------+----------------------------------------------+
| I just don't trust anything | I suppose that in a few more hours I will    |
| that bleeds for 5 days and  | sober up. That's such a sad thought. I think |
| doesn't die. - Mr. Garrison | I'll have a few more drinks to prepare myself|
+-----------------------------+----------------------------------------------+
 
 
 

1. Delay on initial access server ftp, http and telnet, etc - NOT usual reverse dns problem

I'm going to be a bit wordy here, because this is truly weird.

My understanding is that if there is no reverse DNS lookup for
something, and reverse dns lookups are on for a server in general,
there's a big delay while things time out.

If that's the case (there's no DNS entry for the client, as might be
the case on a LAN) then you whack the client into the hosts file, and
make sure that the search order is "hosts, then dns" so that it's
found there and things proceed apace, thusly, without DNS ever being
consulted:

XXX.XXX.XXX.XXX    domain.sfx yadda

I've got a situation where I've got a host elsewhere on our ISP's DSL
network, not on our LAN (it was on our LAN, but it's been moved...
worked great on our lan with nothing but the appropriate hosts
entries). In the server machine's etc/hosts file, is our WAN IP, in
the form shown above. Likewise, on my machine, I've got that server's
IP and domain name in my local hosts file (win98). I can see the
lookup of the remote server happen instantly - explorer reports it is
attempting to connect to the right IP, there's no delay. The delay
appears to be at the other end.

The search order on the remote server machine is hosts, then dns.

Yet, when I try to get to it, there is a huge delay initially, such
that telnet and ftp will time out, but a couple of attempts with http
to the root domain will, eventually, get the web index page. Once
that's done, telnet and ftp run fine, as does http. fast connections,
no timeouts. If you leave them alone for a while, no activity on any
service, the delay returns, as if there's something being cached
somewhere on the server that lets the incoming machine (me) access
stuff, then being expired. As far as I know, there's no local DNS
running on the machine - it uses our ISP's dns. There is a hardware
firewall in a router between the remote server and the WAN, but it is
set to pass all the appropriate ports, and it knows about the ISP's
DNS as well.

Now, I should add that I'm hitting this machine from a win98 system,
but as I understand it, it all works the same (it certainly seemed to
work fine when we had the machine on our LAN!)

Also, the machine I'm on does have a "real" dns entry out on the WAN,
maintained by our ISP - I only put us in the hosts file on the remote
server because the delay was driving me up a wall, and I thought the
DNS lookup was just slow - that wasn't it, though, because it's STILL
piggy as heck.

Running Red hat 6 for the server.

Anyone? Any ideas? I'm getting a headache... :(

Walt
Software Engineer
Black Belt Systems
http://www.blackbeltsystems.com/

2. ipcs & ipcrm on linux?

3. Help with ssh (It's not a reverse-dns problem)

4. issues with applix on the FreeBSD Desktop edition

5. FTP Slow to Connect - And I am pretty sure my reverse DNS is working

6. Some interesting utilities.

7. DNS Problem - Reverse Zone does NOT work

8. Generic Dialer?

9. ping,traceroute,dns work; telnet,ftp don't - help (LNE100TX, tulip 0.9.13

10. PPP - ping/dns work, ftp/telnet dont...?

11. Need help with DNS -> ftp,telnet,etc not using

12. telnet/ftp NOT DNS problem

13. Slow ftp-telnet connect, but NOT a dns problem