dns over tcp - invalid packets tcp_in port 853

2 posts Page 1 of 1
n8v8r
Junior Member
Posts: 9
Joined: 21 Apr 2018, 21:52


Debian 9.4 server
kernel 4.9.0-6-amd64
iptables ipv4 v1.6.0
unbound 1.6.0
csf 12.02 (DNS strict off / Paket Filter on)

unbound, being the local resolver, is issuing DNS over TLS requests to the upstream resolver over TCP with destination port 853. The response from the upstream resolver is getting blocked as invalid packets
Firewall: *INVALID* IN=eth0 OUT= MAC=00:16:3e:22:4e:9d:00:23:dc:01:18:96:08:00 SRC=149.112.112.112 DST=179.43.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=30088 DF PROTO=TCP SPT=853 DPT=16150 WINDOW=0 RES=0x00 RST URGP=0
Firewall: *INVALID* IN=eth0 OUT= MAC=00:16:3e:22:4e:9d:00:23:dc:01:18:96:08:00 SRC=9.9.9.9 DST=179.43.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=29257 DF PROTO=TCP SPT=853 DPT=35322 WINDOW=0 RES=0x00 RST URGP=0
It is even having this issue with outbound connections :confused:
Firewall: *INVALID* IN= OUT=eth0 SRC=179.43.x.x DST=185.49.141.37 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=56300 DF PROTO=TCP SPT=3192 DPT=853 WINDOW=0 RES=0x00 RST URGP=0
n8v8r
Junior Member
Posts: 9
Joined: 21 Apr 2018, 21:52


It appears that CSF is flagging erroneously almost any traffic (in/out) over port 853 as invalid with having
Code: Select all
Drop out of order packets and packets in an INVALID state in iptables connection tracking
enabled and set
Code: Select all
PS_PORTS  = 0:65535,ICMP,INVALID,OPEN,BRD
Not clear whether the root cause is iptables v1.6.1 or CSF v12.04, though likely latter since on another box with a different firewall but also set to drop invalid packets there is no such issue apparent.
2 posts Page 1 of 1