DNS Query answer with ICMP Code 3 - Type
Hi Gurus,
I have a very strange issue with our DNS server (Windows AD). Most of the DNS request works well, but from time to time I have the following (in Wireshark) "ICMP Destination unreachable - Port unreachable).
The request goes from a user workstation to a server through both a router and a firewall (which might be responsible for those issues).
Below is the trace I can see from my own workstation:
[1262] @30.722130: DNS query (type A) for ssl-google-analytics.l.google.com from 172.16.23.28 (Workstation Windows 10) to 172.16.37.30 (M$ AD 2016)
[1264] @30.723597: DNS response for ssl-google-analytics.l.google.com from 172.16.37.30 to 172.16.23.28
[1265] @30.723610: ICMP Destination unreachbable (Port unreachable) from 172.16.23.28 to 172.16.37.30
The ICMP packet contains the following information:
Frame 1265: 149 bytes on wire (1192 bits), 149 bytes captured (1192 bits) on interface 0
Interface id: 0 (\Device\NPF_{8D19E716-28D7-489E-9AFF-F96C2D1FD70F})
Interface name: \Device\NPF_{8D19E716-28D7-489E-9AFF-F96C2D1FD70F}
Encapsulation type: Ethernet (1)
Arrival Time: Oct 10, 2019 14:58:33.236365000 W. Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1570712313.236365000 seconds
[Time delta from previous captured frame: 0.000013000 seconds]
[Time delta from previous displayed frame: 0.000013000 seconds]
[Time since reference or first frame: 30.723610000 seconds]
Frame Number: 1265
Frame Length: 149 bytes (1192 bits)
Capture Length: 149 bytes (1192 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:ip:udp:dns]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: Dell_44:df:33 (d8:9e:f3:44:df:33), Dst: All-HSRP-routers_7b (00:00:0c:07:ac:7b)
Destination: All-HSRP-routers_7b (00:00:0c:07:ac:7b)
Address: All-HSRP-routers_7b (00:00:0c:07:ac:7b)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_44:df:33 (d8:9e:f3:44:df:33)
Address: Dell_44:df:33 (d8:9e:f3:44:df:33)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.16.23.28, Dst: 172.16.37.31
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 135
Identification: 0x0916 (2326)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 128
Protocol: ICMP (1)
Header checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source: 172.16.23.28
Destination: 172.16.37.31
Internet Control Message Protocol
Type: 3 (Destination unreachable ...
172.16.23.28 - workstation 172.16.37.30 - DNS server Destination: 172.16.37.31
What is 172.16.37.31?
What is the HSRP config?
Hi bubbasnmp,
172.16.37.31 is the secondary AD/DNS Server. HSRP configuration is:
interface Vlan123 description USER
Thanks,
JC
@ all
Answers are for actual answers. Comments are for questions or observations.
Thanks Graham. Still learning.
The ICMP unreachable is sent from the client in response to the DNS response. Is it possible that the response came from a different router than the request was sent to? A capture containing the 3 packets in question would be really useful. You can post it to a public file share, e.g. Google Drive, DropBox etc. and post a link to it back here.