Hi Gurus,
I have a very strange issue with our DNS server (Windows AD).
Most of the DNS request works well, but from time to time I have the following (in Wireshark) "ICMP Destination unreachable - Port unreachable).
The request goes from a user workstation to a server through both a router and a firewall (which might be reponsible responsible for those issues).
Below is the trace I can see from my own workstation:
[1262] @30.722130: DNS query (type A) for ssl-google-analytics.l.google.com from 172.16.23.28 (Workstation Windows 10) to 172.16.37.30 (M$ AD
2016) 2016)
[1264] @30.723597: DNS response for ssl-google-analytics.l.google.com from 172.16.37.30 to
172.16.23.28 172.16.23.28
[1265] @30.723610: ICMP Destination unreachbable (Port unreachable) from 172.16.23.28 to
172.16.37.30172.16.37.30
The ICMP paquet packet contains the following information:
Frame 1265: 149 bytes on wire (1192 bits), 149 bytes captured (1192 bits) on interface
0
0
Interface id: 0 (\Device\NPF_{8D19E716-28D7-489E-9AFF-F96C2D1FD70F})
Interface name: \Device\NPF_{8D19E716-28D7-489E-9AFF-F96C2D1FD70F}
Encapsulation type: Ethernet (1)
Arrival Time: Oct 10, 2019 14:58:33.236365000 W. Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1570712313.236365000 seconds
[Time delta from previous captured frame: 0.000013000 seconds]
[Time delta from previous displayed frame: 0.000013000 seconds]
[Time since reference or first frame: 30.723610000 seconds]
Frame Number: 1265
Frame Length: 149 bytes (1192 bits)
Capture Length: 149 bytes (1192 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:ip:udp:dns]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: Dell_44:df:33 (d8:9e:f3:44:df:33), Dst: All-HSRP-routers_7b
(00:00:0c:07:ac:7b)
(00:00:0c:07:ac:7b)
Destination: All-HSRP-routers_7b (00:00:0c:07:ac:7b)
Address: All-HSRP-routers_7b (00:00:0c:07:ac:7b)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_44:df:33 (d8:9e:f3:44:df:33)
Address: Dell_44:df:33 (d8:9e:f3:44:df:33)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.16.23.28, Dst:
172.16.37.31
172.16.37.31
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 135
Identification: 0x0916 (2326)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 128
Protocol: ICMP (1)
Header checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source: 172.16.23.28
Destination: 172.16.37.31
Internet Control Message
Protocol
Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0x91c1 [correct]
[Checksum Status: Good]
Unused: 00000000
Internet Protocol Version 4, Src: 172.16.37.31, Dst: 172.16.23.28
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 107
Identification: 0x3e30 (15920)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 125
Protocol: UDP (17)
Header checksum: 0x6af6 [validation disabled]
[Header checksum status: Unverified]
Source: 172.16.37.31
Destination: 172.16.23.28
User Datagram Protocol, Src Port: 53, Dst Port: 55469
Source Port: 53
Destination Port: 55469
Length: 87
Checksum: 0xb7b8 [unverified]
[Checksum Status: Unverified]
[Stream index: 37]
Domain Name System (response)
Transaction ID: 0x4747
[Expert Info (Warning/Protocol): DNS response retransmission. Original response in frame 1264]
[DNS response retransmission. Original response in frame 1264]
[Severity level: Warning]
[Group: Protocol]
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
ssl-google-analytics.l.google.com: type AAAA, class IN
Name: ssl-google-analytics.l.google.com
[Name Length: 33]
[Label Count: 4]
Type: AAAA (IPv6 Address) (28)
Class: IN (0x0001)
Answers
ssl-google-analytics.l.google.com: type AAAA, class IN, addr 2a00:1450:400a:800::2008
Name: ssl-google-analytics.l.google.com
Type: AAAA (IPv6 Address) (28)
Class: IN (0x0001)
Time to live: 300
Data length: 16
AAAA Address: 2a00:1450:400a:800::2008
[Retransmitted response. Original response in: 1264]
My understanding about ICMP Code 3 - Type 3 is that it happens when you have some "timeout session" in UDP traffic. But according to the below trace, the response to the query is pretty much immediate.
Anyone can explain why this is happening and where shoud I look to fix this "error".
Thanks a lot for your explanation.
Cheers,
Jean-Christophe