[Pdns-users] Master/Slaves in docker containers

frank+pdns at tembo.be frank+pdns at tembo.be
Fri May 31 08:07:06 UTC 2019 

Hi Christian,

Did you take your tcpdump inside the container or outside?

> On 29 May 2019, at 18:42, Christian Tardif <christian.tardif at servinfo.ca <mailto:christian.tardif at servinfo.ca>> wrote:
> 
> TCPDUMP for a dig:   (request was dig @192.168.213.12 SOA int.servinfo.stba
> 
> 16:33:52.289317  In f8:32:e4:8a:b7:b5 ethertype 802.1Q (0x8100), length 106: vlan 213, p 0, ethertype IPv4, 192.168.213.11.33053 > 192.168.213.12.53: 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.289317  In f8:32:e4:8a:b7:b5 ethertype 802.1Q (0x8100), length 106: vlan 213, p 0, ethertype IPv4, 192.168.213.11.33053 > 192.168.213.12.53: 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.289317  In f8:32:e4:8a:b7:b5 ethertype IPv4 (0x0800), length 102: 192.168.213.11.33053 > 192.168.213.12.53: 64585+ [1au] SOA? int.servinfo.stba. (58)

I assume this is “outside” the container: the ip traffic arrives on the host.

> 16:33:52.289371 Out 02:42:f9:95:2b:46 ethertype IPv4 (0x0800), length 102: 172.17.0.1.1038 > 172.17.0.3.53: 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.289376 Out 02:42:f9:95:2b:46 ethertype IPv4 (0x0800), length 102: 172.17.0.1.1038 > 172.17.0.3.53: 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.291796   P 02:42:ac:11:00:03 ethertype IPv4 (0x0800), length 90: 172.17.0.3.53 > 172.17.0.1.1038: 64585 Refused- 0/0/1 (46)
> 16:33:52.291796  In 02:42:ac:11:00:03 ethertype IPv4 (0x0800), length 90: 172.17.0.3.53 > 192.168.213.11.33053: 64585 Refused- 0/0/1 (46)

But then this is strange: the source ip gets translated, which shouldn’t happen. There’s nothing else running on the host that could mess with the traffic? Custom iptables rules, network-agents that intercept the traffic? Special network plugins? How are you starting the container? Could you send us the output of iptables-save?

The source ip address translation is not (default) docker behaviour. As the ip address is translated, pdns receives the notify from the translated IP instead of the one it should contact.

Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190531/f0dbb95d/attachment.html>

More information about the Pdns-users mailing list