Question

DO is responding to DNS queries on my IP?

Posted December 23, 2021 136 views
DNS

I’ve stumbled into a strange situation where, querying my droplets on their public IP, I am getting a response even when no DNS server is running and the firewall is configured to drop packets on port 53.

Further, when I am running DNS on a droplet, everything works as expected when querying against the VPN or local interface of the droplet but querying it’s public IP, the response is not as expected and appears to be coming from another server on my servers behalf.

What gives? How do I stop this?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

Can you clarify what queries exactly are you running? As DNS stands for Domain Name System and is responsible for resolving domain names, so if you try to query your IP address, this does not go over DNS as there is no name to be resolved.

If you want to not allow ping for a specific IP, you can block ICMP traffic via your firewall.

Regards,
Bobby

  • Hey, Bobby. Thanks for replying. To clarify, I am not trying to do a DNS lookup of my server’s IP. I have been working on setting up a DNS server on my DO droplet and have been having issues with the responses I get when querying it via it’s public-facing IP addresses vs. it’s internal or VPN interface.

    To simplify the problem further, if I run an nslookup from my laptop using my DO droplet as the DNS server (i.e.: nslookup google.com my-servers-ip), and the droplet is powered off, why am I getting a response from my server’s IP?

    Sample nslookup output, domain and IP addresses redacted:

    $ nslookup testdomain.tld my-server-public-ip
    Server: my-server-public-ip
    Address: my-server-public-ip#53

    Non-authoritative answer:
    testdomain.tld canonical name = testdomain.tld.
    Name: testdomain.tld
    Address: real-ip-1
    Name: testdomain.tld
    Address: real-ip-2

    I can confirm this is happening by dumping traffic with Wireshark. I see the query go out and the response come back, even when no DNS service is running on the machine being queried.
    I tested this initially with just bind9 stopped. Then tested it with bind stopped and the iptables blocking port 53 (policy on INPUT chain is default drop, so simply removed the rule allowing port 53 access), and then lastly with the server powered off.

    • Hey there, ah I see, thank you for the clarification.

      Indeed this is quite strange, I tried replicating this behavior on my end by testing this with a brand new Droplet with bind9 installed, and as soon as I stopped the service the DNS lookups started failing:

      nslookup example.com server_ip_here
      
      ;; connection timed out; no servers could be reached
      

      I have a couple of suspicions:

      • Do you have a floating IP configured so that when the main Droplet is down the floating IP gets assigned on another Droplet that handles those DNS lookups?

      • As you are actually shutting down the server, have you tried running the nslookup command with a random IP as the nameserver to verify that this behavior is only occurring with the shutdown Droplet?

      Let me know how it goes!
      Best,
      Bobby