Out of interest, what "ip inspect" settings exist in the Cisco 2911 config?
Do any of these reference "dns"? If so, this may be your problem... Best wishes, Matthew ------ >From: John Wiles <[email protected]> >To: Tony Finch <[email protected]> >Cc: "[email protected]" <[email protected]> >Date: Tue, 21 Apr 2020 14:08:24 -0400 >Subject: RE: NAT and Question Section Mismatch >> -----Original Message----- >> From: John Wiles >> Sent: Sunday, April 19, 2020 11:18 PM >> To: 'Tony Finch' <[email protected]> >> Cc: [email protected] >> Subject: RE: NAT and Question Section Mismatch >> >> > > >> > > I am running into a problem that I think is caused by either a >> > > misconfiguration in Bind9, our Cisco NAT, or perhaps both. >> > > >> > > When I am on our internal network, I am able to query both servers >> > > and get the appropriate external ip address. However, when I try to >> > > do the same thing externally I get "Question section mismatch: got >> > > 6.1.1.10.in-addr.arpa/PTR/IN." >> > >> > I bet this is a PIX/ASA fixup fuxup. >> > >> > Tony. >> >> Tony thanks for the response. >> >> I'm assuming that applies to either DNS inspection and/or the fixup >> command. I'm asking the person that handles the cisco config to review. >> >> I also just realized I forgot to mention that it is a 2911 ISR. >> >> John >> > >After going through the router config my cisco person is pretty sure that >there is nothing in the configuration that is causing this. > >But I'm not so certain since it appears to only affect the hosts that are in >the NAT. For example, my nslookup results from home: > >> server 72.162.32.4 >Default server: 72.162.32.4 >Address: 72.162.32.4#53 >> 72.162.32.2 >2.32.162.72.in-addr.arpa name = gw.iotis.org. >> 72.162.32.3 >;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN >;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN >;; ;; Question section mismatch: got 17.1.1.10.in-addr.arpa/PTR/IN >;; connection timed out; no servers could be reached > >> 72.162.32.4 >;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN >;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN >;; ;; Question section mismatch: got 25.1.1.10.in-addr.arpa/PTR/IN >;; connection timed out; no servers could be reached > >> 72.162.32.19 >19.32.162.72.in-addr.arpa name = badmx2.iotis.org. >> 72.162.32.18 >18.32.162.72.in-addr.arpa name = badmx.iotis.org. > > > >_______________________________________________ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >[email protected] >https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
