[NCLUG] IP Masqing on the New and Improved AT&T

Neil Doane caine at vasoftware.com
Tue Dec 11 12:58:03 MST 2001 

* Eric Brunson (brunson at level3.net) on [12-11-01 11:35] did utter:
> 
> You've piqued my curiousity.  Do you think you can show us contrasting
> dig outputs for the same lookup from the firewall and a masq'ed
> machine.  

Here's from the firewall:
-start-------------------------------------------------------------------
caine at caine:~$ dig slashdot.org

; <<>> DiG 8.3 <<>> slashdot.org 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;	slashdot.org, type = A, class = IN

;; ANSWER SECTION:
slashdot.org.		21h10m8s IN A	64.28.67.150

;; AUTHORITY SECTION:
slashdot.org.		21h10m8s IN NS	ns2.andover.net.
slashdot.org.		21h10m8s IN NS	ns3.andover.net.
slashdot.org.		21h10m8s IN NS	ns1.andover.net.

;; ADDITIONAL SECTION:
ns2.andover.net.	1d21h10m3s IN A  209.192.217.105
ns3.andover.net.	21h10m8s IN A	64.28.67.58
ns1.andover.net.	1d21h10m3s IN A  64.28.67.55

;; Total query time: 1 msec
;; FROM: caine to SERVER: default -- 127.0.0.1
;; WHEN: Tue Dec 11 12:59:01 2001
;; MSG SIZE  sent: 30  rcvd: 159
-end-------------------------------------------------------------------


Here's from a workstation:
-start-----------------------------------------------------------------
caine at zorkfoo:~$ dig slashdot.org

; <<>> DiG 9.1.3 <<>> slashdot.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62830
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;slashdot.org.			IN	A

;; ANSWER SECTION:
slashdot.org.		120	IN	A	216.148.227.211

;; AUTHORITY SECTION:
.			120	IN	NS	localhost.

;; ADDITIONAL SECTION:
localhost.		120	IN	A	127.0.0.1

;; Query time: 37 msec
;; SERVER: 24.5.66.15#53(24.5.66.15)
;; WHEN: Tue Dec 11 13:46:44 2001
;; MSG SIZE  rcvd: 84
-end-------------------------------------------------------------------	


> A snoop/tcpdump of a query-response would be interesting,
> also. 

I really don't know specifically how to use these tools correctly to 
get you this information.  If you'd care to elaborate, I'd be happy to
oblidge...I'd love to figgure out either a. what I'm doing wrong or b. 
how they are doing this. :)




Neil



> Of course I'm on vacation and have time to burn, if you don't have the
> free to hunt up this garbage, you seem to have a satisfactory work
> around.  This would be a purely academic exercise.  Plus, you don't
> know when att's bizzare setup is going to randomly start working.  I
> hate that.
> 
> Academical-ly yours,
> e.
> 
> * Neil Doane (caine at vasoftware.com) [011211 13:19]:
> > * Eric Brunson (brunson at level3.net) on [12-11-01 09:03] did utter:
> > > I'm sorry I don't have an solution for your problems and I certainly
> > > don't deny that you are seeing this behavior, but from my (possibly
> > > incorrect) understanding of how NATting works, I can't agree with your
> > > proposed expanation for it.
> > 
> > Understandable.  I don't much agree with it either, but I'm at a loss to
> > explain how their DNS servers can tell that the request is coming from a
> > masq-ed workstation behind my firewall and not from the box connected to the
> > modem.  My ipchains rules are pretty simple...
> > 
> > 	/sbin/ipchains -M -S 7200 10 160
> > 	/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> > 	/sbin/ipchains -P forward DENY
> > 	/sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ
> > 
> > I just checked again and it's still doing it...hrm.
> > 
> > 
> > 
> > Neil
> > 
> > 
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                  
> >        . /._ o /    
> >       /|//- / /                                           caine at vasoftware.com	
> >      / ''- / /__                                        caine at antediluvian.org
> >     '                                      
> > ~~ http://angryflower.com/bobsqu.gif ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > _______________________________________________
> > NCLUG mailing list
> > NCLUG at nclug.org
> > http://www.nclug.org/mailman/listinfo/nclug
> 
> 
> -- 
>  Eric Brunson   brunson at level3.net   page-eric at level3.net  
> tcA thgirypoC muinelliM latigiD eht detaloiv tsuj evah uoY
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                  
       . /._ o /    
      /|//- / /                                           caine at vasoftware.com	
     / ''- / /__                                        caine at antediluvian.org
    '                                      
~~ http://angryflower.com/bobsqu.gif ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the NCLUG mailing list