I had a working gShield configuration running on my server until I upgraded the kernel to 2.6.20-gentoo-r6 yesterday. Now all DNS queries are timing out, and gShield is logging all attempts: Apr 21 15:59:34 wonk gShield (default drop) IN=eth0 OUT= MAC=00:04:23:a7:66:92:00:14:f2:b7:8d:53:08:00 SRC=192.36.148.17 DST=69.65.110.186 LEN=234 TOS=0x00 PREC=0x00 TTL=251 ID=2253 DF PROTO=UDP SPT=53 DPT=52039 LEN=214 My /etc/resolv.conf file is domain vushta.com search vushta.com nameserver 127.0.0.1 The relevant part of my gShield.conf file is: # DNS servers # List the DNS servers you use here # If set to AUTO, gShield will read # this variable from /etc/resolv.conf DNS="AUTO" I've tried AUTO and 127.0.0.1, neither makes a difference. from /usr/src/linux/.config: CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_ASK_IP_FIB_HASH is not set # CONFIG_IP_FIB_TRIE is not set CONFIG_IP_FIB_HASH=y CONFIG_IP_PNP=y # CONFIG_IP_PNP_DHCP is not set # CONFIG_IP_PNP_BOOTP is not set # CONFIG_IP_PNP_RARP is not set CONFIG_NET_IPIP=y # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_SYN_COOKIES is not set CONFIG_INET_AH=y CONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y CONFIG_INET_XFRM_TUNNEL=y CONFIG_INET_TUNNEL=y CONFIG_INET_XFRM_MODE_TRANSPORT=y CONFIG_INET_XFRM_MODE_TUNNEL=y CONFIG_INET_XFRM_MODE_BEET=y CONFIG_INET_DIAG=y CONFIG_INET_TCP_DIAG=y # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_CUBIC=y CONFIG_DEFAULT_TCP_CONG="cubic" # CONFIG_TCP_MD5SIG is not set If I run /etc/init.d/gshield stop, then DNS/named runs perfectly and quickly, but as soon as I activate gshield. then all DNS packets are dropped. In desperation, I changed /etc/resolv.conf to look like: domain vushta.com nameserver 4.2.2.2 That doesn't work either. gshield is dropping all DNS packets, where it did not before. All I changed was updating the kernel from 2.6.19-gentoo-r5 to 2.6.20-gentoo-r6. Reproducible: Always Steps to Reproduce: 1.start gshield (/etc/init.d/gshield start) 2.Look up anything (host www.google.com) Actual Results: ;; connection timed out; no servers could be reached Expected Results: Should get an IP
Obvious question, when you go back to 2.6.19, are the issues solved?
tdknox@wonk ~ $ uname -a Linux wonk 2.6.19-gentoo-r5 #6 SMP Sat Mar 3 17:14:12 EST 2007 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz GenuineIntel GNU/Linux tdknox@wonk ~ $ date Sun Apr 22 11:55:45 EDT 2007 tdknox@wonk ~ $ host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 64.233.161.99 www.l.google.com has address 64.233.161.104 www.l.google.com has address 64.233.161.147 tdknox@wonk ~ $ uname -a Linux wonk 2.6.20-gentoo-r6 #1 SMP Fri Apr 20 17:01:16 EDT 2007 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz GenuineIntel GNU/Linux tdknox@wonk ~ $ date Sun Apr 22 12:00:00 EDT 2007 tdknox@wonk ~ $ host www.google.com ;; connection timed out; no servers could be reached
today I got a report that this does also happen on some other box even without gshield. so seems more like a kernel bug...
The bug reported here is clearly related to gshield. If you're having DNS troubles on another system without gshield, you should file a new bug, as the chances of it being related to this one are extremely low.