DNS Delay, ICMP message sent from query sender.
An image of the issue:
- 10.1.60.27 = client sending query for google.co.uk
- 10.1.10.1 = DNS Forwarder, forwards to 192.168.0.1
- 192.168.0.1 = DNS server
I am testing delay in my lab. My DNS forwarding server is timing out as expected. My question is about the ICMP messages. The ICMP response is from my forwarding server 10.1.10.1, towards a recursive DNS server at 192.168.0.1
Am I correct in thinking for example, packet 40 is a correct response but because my server has waited too long, it responds in packet 41 with port unreachable, this response is because the forwarder at 10.1 does not have services open on the dst port (45293 in this case) The server sees packet 40 as a request for port 45293 instead of a response to the query in packet 28, due to the response taking too long.
I would aggree to your conclusion. I guess 10.1.10.1 is closing his outgoing port as soon as he starts a new query to 192.168.0.1 for the same record (first query in 22, waits 1200ms for an answer, closes port, starts new query in 24 with new outgoing port, ...).
If you're going to look at issues with ports it helps to add columns for src port and dst port.
Check the RFC here for ICMP message formats.
Looking at frames 30 and 31, the lengths are 99 and 127. 127 - 99 = 28.
Frame 40 and 41, lengths 88 and 116. 116 - 88 = 28.
28 is 20 bytes for the IP header and 64 bits (8 bytes) of the packet that caused the issue.
In those 8 bytes are the port numbers. Compare to the src port on the original request.