search

dlundquist / sniproxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.
BSD 2-Clause "Simplified" License
2.53k stars 397 forks source link

resolv: valid domain but no data of requested type #305

Closed mrahmadt closed 6 years ago

mrahmadt commented 6 years ago

Hi

I'm having an issue with many sites not loaded and I'm getting this error for them resolv: valid domain but no data of requested type 

user daemon
pidfile /var/run/sniproxy.pid

error_log {
    priority debug
    filename /var/log/sniproxy-error.log
}

access_log {
filename /var/log/sniproxy-access.log
}

listen 80 {
    proto http
bad_requests log
}

listen 443 {
    proto tls
bad_requests log
}

table {
    .* *
}

resolver {
nameserver 8.8.8.8
nameserver 8.8.4.4
mode ipv4_first
}
# tail /var/log/sniproxy-error.log 
2018-08-22 10:43:53 resolv: valid domain but no data of requested type

2018-08-22 10:45:36 recv(server): Connection timed out, closing connection
2018-08-22 10:46:03 recv(server): Connection timed out, closing connection
2018-08-22 10:46:21 resolv: valid domain but no data of requested type

2018-08-22 10:46:22 recv(server): Connection reset by peer, closing connection
2018-08-22 10:46:49 resolv: valid domain but no data of requested type

2018-08-22 10:46:49 recv(server): Connection reset by peer, closing connection
# netstat -ltnp |grep sni
tcp6       0      0 :::80                   :::*                    LISTEN      2179/sniproxy       
tcp6       0      0 :::443                  :::*                    LISTEN      2179/sniproxy

How can I fix this issue? and why sniproxy only listening to ipv6? how can I make it listen to ipv4 & ipv6?

PS: Using ubuntu 18.04

Thanks

dlundquist commented 6 years ago

The "valid domain but no data of requested type" message is generated by udns. It indicates that the DNS server responded indicating the domain exists (not NXDOMAIN), but didn't include any RR answering your query. I would suggest querying the configured DNS resolver with from the box running sniproxy with host or dig:

[dustin@improbability udns-0.4]$ dig -t a example.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> -t a example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22531
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.SECTIONINA

;; ANSWER SECTION:
example.com.example2782INA93.184.216.34

;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 22 07:41:15 PDT 2018
;; MSG SIZE  rcvd: 56

[dustin@improbability udns-0.4]$ dig -t aaaa example.com @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> -t aaaa example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15370
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.SECTIONINAAAAA

;; ANSWER SECTION:
example.com.example2089INAAAA2606:2800:220:1:248:1893:25c8:1946

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 22 07:41:21 PDT 2018
;; MSG SIZE  rcvd: 68

Since you have the resolver set to IPv4_first it will make two separate queries as above. That error could be normal in the case of using ipv4_first and there is only a AAAA record, if so please let me know so I can squelch it.

-Dustin

On Wed, Aug 22, 2018 at 3:55 AM, Aft notifications@github.com wrote:

Hi

I'm having an issue with many sites not loaded and I'm getting this error for them resolv: valid domain but no data of requested type

` user daemon pidfile /var/run/sniproxy.pid

error_log { priority debug filename /var/log/sniproxy-error.log }

access_log { filename /var/log/sniproxy-access.log }

listen 80 { proto http bad_requests log }

listen 443 { proto tls bad_requests log }

table { . }

resolver { nameserver 8.8.8.8 nameserver 8.8.4.4 mode ipv4_first } `

` tail /var/log/sniproxy-error.log

2018-08-22 10:43:53 resolv: valid domain but no data of requested type

2018-08-22 10:45:36 recv(server): Connection timed out, closing connection 2018-08-22 10:46:03 recv(server): Connection timed out, closing connection 2018-08-22 10:46:21 resolv: valid domain but no data of requested type

2018-08-22 10:46:22 recv(server): Connection reset by peer, closing connection 2018-08-22 10:46:49 resolv: valid domain but no data of requested type

2018-08-22 10:46:49 recv(server): Connection reset by peer, closing connection `

` netstat -ltnp |grep sni

tcp6 0 0 :::80 ::: LISTEN 2179/sniproxy tcp6 0 0 :::443 ::: LISTEN 2179/sniproxy `

How can I fix this issue? and why sniproxy only listening to ipv6? how can I make it listen to ipv4 & ipv6?

Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dlundquist/sniproxy/issues/305, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHLx7eU7YcjVahL9uKfyc2c69a6xtSrks5uTTipgaJpZM4WHbiu .

mrahmadt commented 6 years ago

Hi Surprisingly, I can access all domains with http but some domain will hang when accessed with https, this is not the case with all https domains (not sure why)

PS: I'm using firefox

$ dig -t a aljazeera.net @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -t a aljazeera.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5596
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aljazeera.net.         IN  A

;; ANSWER SECTION:
aljazeera.net.      300 IN  A   8.254.93.126

;; AUTHORITY SECTION:
net.            963 IN  NS  g.gtld-servers.net.
net.            963 IN  NS  m.gtld-servers.net.
net.            963 IN  NS  l.gtld-servers.net.
net.            963 IN  NS  b.gtld-servers.net.
net.            963 IN  NS  j.gtld-servers.net.
net.            963 IN  NS  k.gtld-servers.net.
net.            963 IN  NS  a.gtld-servers.net.
net.            963 IN  NS  d.gtld-servers.net.
net.            963 IN  NS  e.gtld-servers.net.
net.            963 IN  NS  f.gtld-servers.net.
net.            963 IN  NS  h.gtld-servers.net.
net.            963 IN  NS  c.gtld-servers.net.
net.            963 IN  NS  i.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net. 2480    IN  A   192.5.6.30
b.gtld-servers.net. 2480    IN  A   192.33.14.30
c.gtld-servers.net. 2480    IN  A   192.26.92.30
d.gtld-servers.net. 2480    IN  A   192.31.80.30
e.gtld-servers.net. 2480    IN  A   192.12.94.30
f.gtld-servers.net. 2480    IN  A   192.35.51.30
g.gtld-servers.net. 2480    IN  A   192.42.93.30
h.gtld-servers.net. 2480    IN  A   192.54.112.30
i.gtld-servers.net. 2480    IN  A   192.43.172.30
j.gtld-servers.net. 2480    IN  A   192.48.79.30
k.gtld-servers.net. 2480    IN  A   192.52.178.30
l.gtld-servers.net. 2480    IN  A   192.41.162.30
m.gtld-servers.net. 2480    IN  A   192.55.83.30

;; Query time: 1621 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 22 14:49:56 UTC 2018
;; MSG SIZE  rcvd: 487
$ dig -t aaaa aljazeera.net @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -t aaaa aljazeera.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54785
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aljazeera.net.         IN  AAAA

;; AUTHORITY SECTION:
aljazeera.net.      600 IN  SOA admin.itmdb.net. dns.level3.net. 1534689329 10800 2700 3600000 900

;; Query time: 298 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 22 14:50:34 UTC 2018
;; MSG SIZE  rcvd: 101
dlundquist commented 6 years ago

There is no answer to the AAAA query, so that may be the cause of the resolver message. As for the hang, I'm not sure of the cause. A tcpdump of traffic in an out of the proxy host might reveal where the delay is. You should be able examine the delay between in the incoming HTTPS request, outgoing DNS queries, DNS responses and the initial SYN to the backend server. You could also try my profile-nonblocking-connect branch ( https://github.com/dlundquist/sniproxy/tree/profile-nonblocking-connect), but you would need to add additional events for DNS resolution.

Libudns is limited to a single UDP socket for DNS resolution, this means that the source UDP port is fixed for the life of the SNIproxy process. This makes more suseptible to DNS response spoofing. I recommend running a local caching resolver such as unbound, dnsmasq or even bind9 on the same host as sniproxy to cache DNS lookups and provide more random source port selection for outgoing queries.

-Dustin

On Wed, Aug 22, 2018 at 7:56 AM Aft notifications@github.com wrote:

Hi Surprisingly, I can access all domains with http but some domain will hang when accessed with https, this is not the case with all https domains (not sure why)

PS: I'm using firefox

$ dig -t a aljazeera.net @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -t a aljazeera.net @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5596 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;aljazeera.net. IN A

;; ANSWER SECTION:aljazeera.net. 300 IN A 8.254.93.126

;; AUTHORITY SECTION: net. 963 IN NS g.gtld-servers.net. net. 963 IN NS m.gtld-servers.net. net. 963 IN NS l.gtld-servers.net. net. 963 IN NS b.gtld-servers.net. net. 963 IN NS j.gtld-servers.net. net. 963 IN NS k.gtld-servers.net. net. 963 IN NS a.gtld-servers.net. net. 963 IN NS d.gtld-servers.net. net. 963 IN NS e.gtld-servers.net. net. 963 IN NS f.gtld-servers.net. net. 963 IN NS h.gtld-servers.net. net. 963 IN NS c.gtld-servers.net. net. 963 IN NS i.gtld-servers.net.

;; ADDITIONAL SECTION:a.gtld-servers.net. 2480 IN A 192.5.6.30b.gtld-servers.net. 2480 IN A 192.33.14.30c.gtld-servers.net. 2480 IN A 192.26.92.30d.gtld-servers.net. 2480 IN A 192.31.80.30e.gtld-servers.net. 2480 IN A 192.12.94.30f.gtld-servers.net. 2480 IN A 192.35.51.30g.gtld-servers.net. 2480 IN A 192.42.93.30h.gtld-servers.net. 2480 IN A 192.54.112.30i.gtld-servers.net. 2480 IN A 192.43.172.30j.gtld-servers.net. 2480 IN A 192.48.79.30k.gtld-servers.net. 2480 IN A 192.52.178.30l.gtld-servers.net. 2480 IN A 192.41.162.30m.gtld-servers.net. 2480 IN A 192.55.83.30

;; Query time: 1621 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Aug 22 14:49:56 UTC 2018 ;; MSG SIZE rcvd: 487

$ dig -t aaaa aljazeera.net @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -t aaaa aljazeera.net @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54785 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;aljazeera.net. IN AAAA

;; AUTHORITY SECTION:aljazeera.net. 600 IN SOA admin.itmdb.net. dns.level3.net. 1534689329 10800 2700 3600000 900

;; Query time: 298 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Aug 22 14:50:34 UTC 2018 ;; MSG SIZE rcvd: 101

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/dlundquist/sniproxy/issues/305#issuecomment-415061939, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHLx3mKT2hEDlR4w51B2vw98aZVcc-1ks5uTXEigaJpZM4WHbiu .

mrahmadt commented 6 years ago

Can this help to indicate the issue?

# tcpdump -i any -l -vv port not 22
15:37:01.254740 IP (tos 0x0, ttl 255, id 30595, offset 0, flags [none], proto UDP (17), length 63)
    172.20.10.2.56570 > 172.20.10.8.domain: [udp sum ok] 37585+ A? www.aljazeera.net. (35)
15:37:01.255143 IP (tos 0x0, ttl 64, id 60057, offset 0, flags [DF], proto UDP (17), length 79)
    172.20.10.8.domain > 172.20.10.2.56570: [bad udp cksum 0x6c7f -> 0xd96d!] 37585* q: A? www.aljazeera.net. 1/0/0 www.aljazeera.net. A 172.20.10.8 (51)
15:37:01.256294 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [S], cksum 0x66e8 (correct), seq 2602052647, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 800433983 ecr 0,sackOK,eol], length 0
15:37:01.256325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.20.10.8.https > 172.20.10.2.50162: Flags [S.], cksum 0x6c61 (incorrect -> 0xd1fb), seq 2688229026, ack 2602052648, win 28960, options [mss 1460,sackOK,TS val 2045836271 ecr 800433983,nop,wscale 7], length 0
15:37:01.256936 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [.], cksum 0x61d2 (correct), seq 1, ack 1, win 4117, options [nop,nop,TS val 800433984 ecr 2045836271], length 0
15:37:01.259899 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 569)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [P.], cksum 0x2498 (correct), seq 1:518, ack 1, win 4117, options [nop,nop,TS val 800433986 ecr 2045836271], length 517
15:37:01.260951 IP (tos 0x0, ttl 64, id 36458, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.https > 172.20.10.2.50162: Flags [.], cksum 0x6c59 (incorrect -> 0x6ef1), seq 1, ack 518, win 235, options [nop,nop,TS val 2045836275 ecr 800433986], length 0
15:37:01.265502 IP (tos 0x0, ttl 64, id 29967, offset 0, flags [DF], proto UDP (17), length 74)
    10.8.8.135.55432 > google-public-dns-a.google.com.domain: [udp sum ok] 27899+ [1au] AAAA? www.aljazeera.net. ar: . OPT UDPsize=4096 (46)
15:37:01.265927 IP (tos 0x0, ttl 64, id 29968, offset 0, flags [DF], proto UDP (17), length 74)
    10.8.8.135.55432 > google-public-dns-a.google.com.domain: [udp sum ok] 57524+ [1au] A? www.aljazeera.net. ar: . OPT UDPsize=4096 (46)
15:37:01.266115 IP (tos 0x0, ttl 64, id 31465, offset 0, flags [DF], proto UDP (17), length 127)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd35d -> 0xe40d!] UDP, length 99
15:37:01.266321 IP (tos 0x0, ttl 64, id 31466, offset 0, flags [DF], proto UDP (17), length 127)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd35d -> 0x9684!] UDP, length 99
15:37:01.904522 IP (tos 0x0, ttl 51, id 55545, offset 0, flags [none], proto UDP (17), length 261)
    81.92.203.104.openvpn > 172.20.10.8.58702: [udp sum ok] UDP, length 233
15:37:01.904550 IP (tos 0x0, ttl 51, id 55550, offset 0, flags [none], proto UDP (17), length 685)
    81.92.203.104.openvpn > 172.20.10.8.58702: [udp sum ok] UDP, length 657
15:37:01.904744 IP (tos 0x0, ttl 64, id 35762, offset 0, flags [none], proto UDP (17), length 208)
    google-public-dns-a.google.com.domain > 10.8.8.135.55432: [udp sum ok] 27899 q: AAAA? www.aljazeera.net. 2/1/1 www.aljazeera.net. CNAME 2-01-3b91-0005.cdx.cedexis.net., 2-01-3b91-0005.cdx.cedexis.net. CNAME www.aljazeera.net.c.itmdb.net. ns: itmdb.net. SOA admin.itmdb.net. dns.level3.net. 1533831467 10800 2700 3600000 900 ar: . OPT UDPsize=4096 (180)
15:37:01.904788 IP (tos 0x0, ttl 64, id 35768, offset 0, flags [none], proto UDP (17), length 632)
    google-public-dns-a.google.com.domain > 10.8.8.135.55432: [udp sum ok] 57524 q: A? www.aljazeera.net. 5/13/14 www.aljazeera.net. CNAME 2-01-3b91-0005.cdx.cedexis.net., 2-01-3b91-0005.cdx.cedexis.net. CNAME www.aljazeera.net.c.itmdb.net., www.aljazeera.net.c.itmdb.net. A 8.254.196.126, www.aljazeera.net.c.itmdb.net. A 8.27.5.254, www.aljazeera.net.c.itmdb.net. A 4.26.226.126 ns: net. NS e.gtld-servers.net., net. NS b.gtld-servers.net., net. NS d.gtld-servers.net., net. NS j.gtld-servers.net., net. NS a.gtld-servers.net., net. NS l.gtld-servers.net., net. NS f.gtld-servers.net., net. NS h.gtld-servers.net., net. NS i.gtld-servers.net., net. NS k.gtld-servers.net., net. NS m.gtld-servers.net., net. NS g.gtld-servers.net., net. NS c.gtld-servers.net. ar: a.gtld-servers.net. A 192.5.6.30, b.gtld-servers.net. A 192.33.14.30, c.gtld-servers.net. A 192.26.92.30, d.gtld-servers.net. A 192.31.80.30, e.gtld-servers.net. A 192.12.94.30, f.gtld-servers.net. A 192.35.51.30, g.gtld-servers.net. A 192.42.93.30, h.gtld-servers.net. A 192.54.112.30, i.gtld-servers.net. A 192.43.172.30, j.gtld-servers.net. A 192.48.79.30, k.gtld-servers.net. A 192.52.178.30, l.gtld-servers.net. A 192.41.162.30, m.gtld-servers.net. A 192.55.83.30, . OPT UDPsize=4096 (604)
15:37:01.905063 IP (tos 0x0, ttl 64, id 29054, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.135.43382 > 8.254.196.126.https: Flags [S], cksum 0xeaef (correct), seq 901242901, win 29200, options [mss 1460,sackOK,TS val 3032978734 ecr 0,nop,wscale 7], length 0
15:37:01.905242 IP (tos 0x0, ttl 64, id 31613, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd34f -> 0x4a00!] UDP, length 85
15:37:01.905700 IP (tos 0x0, ttl 64, id 58764, offset 0, flags [DF], proto UDP (17), length 72)
    localhost.localdomain.35542 > localhost.localdomain.domain: [bad udp cksum 0xfe47 -> 0x7def!] 14543+ PTR? 126.196.254.8.in-addr.arpa. (44)
15:37:01.906031 IP (tos 0x0, ttl 64, id 23462, offset 0, flags [DF], proto UDP (17), length 72)
    10.8.8.135.50387 > google-public-dns-b.google.com.domain: [udp sum ok] 8198+ PTR? 126.196.254.8.in-addr.arpa. (44)
15:37:01.906126 IP (tos 0x0, ttl 64, id 31614, offset 0, flags [DF], proto UDP (17), length 125)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd35b -> 0x3e6d!] UDP, length 97
15:37:01.906362 IP (tos 0x0, ttl 64, id 30067, offset 0, flags [DF], proto UDP (17), length 72)
    10.8.8.135.50387 > google-public-dns-a.google.com.domain: [udp sum ok] 8198+ PTR? 126.196.254.8.in-addr.arpa. (44)
15:37:02.915854 IP (tos 0x0, ttl 64, id 29055, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.135.43382 > 8.254.196.126.https: Flags [S], cksum 0xe6fc (correct), seq 901242901, win 29200, options [mss 1460,sackOK,TS val 3032979745 ecr 0,nop,wscale 7], length 0
15:37:02.916331 IP (tos 0x0, ttl 64, id 31714, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd34f -> 0xfa7f!] UDP, length 85
15:37:04.931935 IP (tos 0x0, ttl 64, id 29056, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.135.43382 > 8.254.196.126.https: Flags [S], cksum 0xdf1c (correct), seq 901242901, win 29200, options [mss 1460,sackOK,TS val 3032981761 ecr 0,nop,wscale 7], length 0
15:37:04.932738 IP (tos 0x0, ttl 64, id 31909, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd34f -> 0xfdfe!] UDP, length 85
15:37:06.340483 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.20.10.1 tell 172.20.10.8, length 28
15:37:06.343847 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.20.10.1 is-at 6e:4d:73:4d:e8:64 (oui Unknown), length 46
15:37:09.155970 IP (tos 0x0, ttl 64, id 29057, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.135.43382 > 8.254.196.126.https: Flags [S], cksum 0xce9c (correct), seq 901242901, win 29200, options [mss 1460,sackOK,TS val 3032985985 ecr 0,nop,wscale 7], length 0
15:37:09.156162 IP (tos 0x0, ttl 64, id 31960, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd34f -> 0xf3ae!] UDP, length 85
15:37:11.292084 IP (tos 0x0, ttl 64, id 51652, offset 0, flags [none], proto TCP (6), length 40)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [.], cksum 0xe5bb (correct), seq 517, ack 1, win 4117, length 0
15:37:11.292210 IP (tos 0x0, ttl 64, id 36459, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.https > 172.20.10.2.50162: Flags [.], cksum 0x6c59 (incorrect -> 0x47c0), seq 1, ack 518, win 235, options [nop,nop,TS val 2045846308 ecr 800433986], length 0
15:37:17.348301 IP (tos 0x0, ttl 64, id 29058, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.135.43382 > 8.254.196.126.https: Flags [S], cksum 0xae9b (correct), seq 901242901, win 29200, options [mss 1460,sackOK,TS val 3032994178 ecr 0,nop,wscale 7], length 0
15:37:17.348565 IP (tos 0x0, ttl 64, id 32201, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd34f -> 0x6711!] UDP, length 85
15:37:21.308568 IP (tos 0x0, ttl 64, id 10273, offset 0, flags [none], proto TCP (6), length 40)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [.], cksum 0xe5bb (correct), seq 517, ack 1, win 4117, length 0
15:37:21.308669 IP (tos 0x0, ttl 64, id 36460, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.https > 172.20.10.2.50162: Flags [.], cksum 0x6c59 (incorrect -> 0x209f), seq 1, ack 518, win 235, options [nop,nop,TS val 2045856325 ecr 800433986], length 0
15:37:31.319944 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [F.], cksum 0x9c42 (correct), seq 518, ack 1, win 4117, options [nop,nop,TS val 800463987 ecr 2045856325], length 0
15:37:31.320280 IP (tos 0x0, ttl 64, id 36461, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.https > 172.20.10.2.50162: Flags [F.], cksum 0x6c59 (incorrect -> 0x844e), seq 1, ack 519, win 235, options [nop,nop,TS val 2045866338 ecr 800463987], length 0
15:37:31.320609 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.2.50162 > 172.20.10.8.https: Flags [.], cksum 0x7524 (correct), seq 519, ack 2, win 4117, options [nop,nop,TS val 800463987 ecr 2045866338], length 0
15:37:33.476568 IP (tos 0x0, ttl 64, id 29059, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.135.43382 > 8.254.196.126.https: Flags [S], cksum 0x6f99 (correct), seq 901242901, win 29200, options [mss 1460,sackOK,TS val 3033010308 ecr 0,nop,wscale 7], length 0
15:37:33.476727 IP (tos 0x0, ttl 64, id 34710, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.58702 > 81.92.203.104.openvpn: [bad udp cksum 0xd34f -> 0x2d41!] UDP, length 85
mrahmadt commented 6 years ago

After disabling TCO (tcp offloading) for TX/RX

# tcpdump -i any -l -vvv -nn  port not 22

15:52:43.465418 IP (tos 0x0, ttl 255, id 46734, offset 0, flags [none], proto UDP (17), length 63)
    172.20.10.2.62117 > 172.20.10.8.53: [udp sum ok] 56988+ A? www.aljazeera.net. (35)
15:52:43.466518 IP (tos 0x0, ttl 64, id 17921, offset 0, flags [DF], proto UDP (17), length 79)
    172.20.10.8.53 > 172.20.10.2.62117: [udp sum ok] 56988* q: A? www.aljazeera.net. 1/0/0 www.aljazeera.net. [0s] A 172.20.10.8 (51)
15:52:43.467695 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [S], cksum 0xa5d4 (correct), seq 3618006208, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 801370760 ecr 0,sackOK,eol], length 0
15:52:43.467735 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [S.], cksum 0x5a3c (correct), seq 3961137329, ack 3618006209, win 28960, options [mss 1460,sackOK,TS val 2046778526 ecr 801370760,nop,wscale 7], length 0
15:52:43.468028 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [.], cksum 0xea12 (correct), seq 1, ack 1, win 4117, options [nop,nop,TS val 801370761 ecr 2046778526], length 0
15:52:43.469625 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 569)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [P.], cksum 0x456c (correct), seq 1:518, ack 1, win 4117, options [nop,nop,TS val 801370762 ecr 2046778526], length 517
15:52:43.469686 IP (tos 0x0, ttl 64, id 88, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [.], cksum 0xf734 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 2046778528 ecr 801370762], length 0
15:52:43.471310 IP (tos 0x0, ttl 64, id 63843, offset 0, flags [DF], proto UDP (17), length 74)
    10.8.8.160.55432 > 8.8.8.8.53: [udp sum ok] 24239+ [1au] AAAA? www.aljazeera.net. ar: . OPT UDPsize=4096 (46)
15:52:43.471329 IP (tos 0x0, ttl 64, id 63844, offset 0, flags [DF], proto UDP (17), length 74)
    10.8.8.160.55432 > 8.8.8.8.53: [udp sum ok] 50059+ [1au] A? www.aljazeera.net. ar: . OPT UDPsize=4096 (46)
15:52:43.471569 IP (tos 0x0, ttl 64, id 31008, offset 0, flags [DF], proto UDP (17), length 127)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 99
15:52:43.471790 IP (tos 0x0, ttl 64, id 31009, offset 0, flags [DF], proto UDP (17), length 127)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 99
15:52:43.948374 IP (tos 0x0, ttl 52, id 3114, offset 0, flags [none], proto UDP (17), length 685)
    81.92.203.124.1194 > 172.20.10.8.47449: [udp sum ok] UDP, length 657
15:52:43.948485 IP (tos 0x0, ttl 64, id 27499, offset 0, flags [none], proto UDP (17), length 632)
    8.8.8.8.53 > 10.8.8.160.55432: [udp sum ok] 50059 q: A? www.aljazeera.net. 5/13/14 www.aljazeera.net. [5m] CNAME 2-01-3b91-0005.cdx.cedexis.net., 2-01-3b91-0005.cdx.cedexis.net. [20s] CNAME www.aljazeera.net.c.itmdb.net., www.aljazeera.net.c.itmdb.net. [3m50s] A 8.254.196.126, www.aljazeera.net.c.itmdb.net. [3m50s] A 208.178.167.254, www.aljazeera.net.c.itmdb.net. [3m50s] A 4.26.230.254 ns: net. [22m1s] NS g.gtld-servers.net., net. [22m1s] NS k.gtld-servers.net., net. [22m1s] NS m.gtld-servers.net., net. [22m1s] NS j.gtld-servers.net., net. [22m1s] NS i.gtld-servers.net., net. [22m1s] NS a.gtld-servers.net., net. [22m1s] NS e.gtld-servers.net., net. [22m1s] NS f.gtld-servers.net., net. [22m1s] NS d.gtld-servers.net., net. [22m1s] NS b.gtld-servers.net., net. [22m1s] NS l.gtld-servers.net., net. [22m1s] NS c.gtld-servers.net., net. [22m1s] NS h.gtld-servers.net. ar: a.gtld-servers.net. [51m16s] A 192.5.6.30, b.gtld-servers.net. [51m16s] A 192.33.14.30, c.gtld-servers.net. [51m16s] A 192.26.92.30, d.gtld-servers.net. [51m16s] A 192.31.80.30, e.gtld-servers.net. [51m16s] A 192.12.94.30, f.gtld-servers.net. [51m16s] A 192.35.51.30, g.gtld-servers.net. [51m16s] A 192.42.93.30, h.gtld-servers.net. [51m16s] A 192.54.112.30, i.gtld-servers.net. [51m16s] A 192.43.172.30, j.gtld-servers.net. [51m16s] A 192.48.79.30, k.gtld-servers.net. [51m16s] A 192.52.178.30, l.gtld-servers.net. [51m16s] A 192.41.162.30, m.gtld-servers.net. [51m16s] A 192.55.83.30, . OPT UDPsize=4096 (604)
15:52:43.990579 IP (tos 0x0, ttl 52, id 3118, offset 0, flags [none], proto UDP (17), length 261)
    81.92.203.124.1194 > 172.20.10.8.47449: [udp sum ok] UDP, length 233
15:52:43.990752 IP (tos 0x0, ttl 64, id 27507, offset 0, flags [none], proto UDP (17), length 208)
    8.8.8.8.53 > 10.8.8.160.55432: [udp sum ok] 24239 q: AAAA? www.aljazeera.net. 2/1/1 www.aljazeera.net. [4m59s] CNAME 2-01-3b91-0005.cdx.cedexis.net., 2-01-3b91-0005.cdx.cedexis.net. [19s] CNAME www.aljazeera.net.c.itmdb.net. ns: itmdb.net. [10m] SOA admin.itmdb.net. dns.level3.net. 1533831467 10800 2700 3600000 900 ar: . OPT UDPsize=4096 (180)
15:52:43.991167 IP (tos 0x0, ttl 64, id 31682, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.160.50120 > 8.254.196.126.443: Flags [S], cksum 0xb33f (correct), seq 1286165166, win 29200, options [mss 1460,sackOK,TS val 2059166452 ecr 0,nop,wscale 7], length 0
15:52:43.991643 IP (tos 0x0, ttl 64, id 31092, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 85
15:52:45.003469 IP (tos 0x0, ttl 64, id 31683, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.160.50120 > 8.254.196.126.443: Flags [S], cksum 0xaf4c (correct), seq 1286165166, win 29200, options [mss 1460,sackOK,TS val 2059167463 ecr 0,nop,wscale 7], length 0
15:52:45.004163 IP (tos 0x0, ttl 64, id 31124, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 85
15:52:47.015120 IP (tos 0x0, ttl 64, id 31684, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.160.50120 > 8.254.196.126.443: Flags [S], cksum 0xa772 (correct), seq 1286165166, win 29200, options [mss 1460,sackOK,TS val 2059169473 ecr 0,nop,wscale 7], length 0
15:52:47.015758 IP (tos 0x0, ttl 64, id 31433, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 85
15:52:51.236910 IP (tos 0x0, ttl 64, id 31685, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.160.50120 > 8.254.196.126.443: Flags [S], cksum 0x96f8 (correct), seq 1286165166, win 29200, options [mss 1460,sackOK,TS val 2059173691 ecr 0,nop,wscale 7], length 0
15:52:51.237020 IP (tos 0x0, ttl 64, id 32136, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 85
15:52:53.635196 IP (tos 0x0, ttl 64, id 36844, offset 0, flags [none], proto TCP (6), length 40)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [.], cksum 0x1a11 (correct), seq 517, ack 1, win 4117, length 0
15:52:53.635238 IP (tos 0x0, ttl 64, id 89, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [.], cksum 0xcf88 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 2046788684 ecr 801370762], length 0
15:52:59.428374 IP (tos 0x0, ttl 64, id 31686, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.160.50120 > 8.254.196.126.443: Flags [S], cksum 0x7701 (correct), seq 1286165166, win 29200, options [mss 1460,sackOK,TS val 2059181874 ecr 0,nop,wscale 7], length 0
15:52:59.428563 IP (tos 0x0, ttl 64, id 33203, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 85
15:53:03.743895 IP (tos 0x0, ttl 64, id 37339, offset 0, flags [none], proto TCP (6), length 40)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [.], cksum 0x1a11 (correct), seq 517, ack 1, win 4117, length 0
15:53:03.743928 IP (tos 0x0, ttl 64, id 90, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [.], cksum 0xa815 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 2046798783 ecr 801370762], length 0
15:53:13.963286 IP (tos 0x0, ttl 64, id 38446, offset 0, flags [none], proto TCP (6), length 40)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [.], cksum 0x1a11 (correct), seq 517, ack 1, win 4117, length 0
15:53:13.963332 IP (tos 0x0, ttl 64, id 91, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [.], cksum 0x8032 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 2046808994 ecr 801370762], length 0
15:53:15.556361 IP (tos 0x0, ttl 64, id 31687, offset 0, flags [DF], proto TCP (6), length 60)
    10.8.8.160.50120 > 8.254.196.126.443: Flags [S], cksum 0x380f (correct), seq 1286165166, win 29200, options [mss 1460,sackOK,TS val 2059197988 ecr 0,nop,wscale 7], length 0
15:53:15.557306 IP (tos 0x0, ttl 64, id 35198, offset 0, flags [DF], proto UDP (17), length 113)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 85
15:53:20.676057 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.20.10.1 tell 172.20.10.8, length 28
15:53:20.680461 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.20.10.1 is-at 6e:4d:73:4d:e8:64, length 46
15:53:24.081028 IP (tos 0x0, ttl 64, id 12722, offset 0, flags [none], proto TCP (6), length 40)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [.], cksum 0x1a11 (correct), seq 517, ack 1, win 4117, length 0
15:53:24.081058 IP (tos 0x0, ttl 64, id 92, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [.], cksum 0x58b5 (correct), seq 1, ack 518, win 235, options [nop,nop,TS val 2046819103 ecr 801370762], length 0
15:53:29.425015 IP (tos 0x0, ttl 255, id 34486, offset 0, flags [none], proto UDP (17), length 72)
    172.20.10.2.56853 > 172.20.10.8.53: [udp sum ok] 64884+ A? pubsub-edge.chat.twitch.tv. (44)
15:53:29.425322 IP (tos 0x0, ttl 64, id 54920, offset 0, flags [DF], proto UDP (17), length 72)
    10.8.8.160.30924 > 8.8.4.4.53: [udp sum ok] 62506+ A? pubsub-edge.chat.twitch.tv. (44)
15:53:29.425350 IP (tos 0x0, ttl 64, id 2347, offset 0, flags [DF], proto UDP (17), length 72)
    10.8.8.160.30924 > 8.8.8.8.53: [udp sum ok] 62506+ A? pubsub-edge.chat.twitch.tv. (44)
15:53:29.425370 IP (tos 0x0, ttl 64, id 7941, offset 0, flags [DF], proto UDP (17), length 72)
    127.0.0.1.30924 > 127.0.0.53.53: [bad udp cksum 0xfe7b -> 0xd54d!] 62506+ A? pubsub-edge.chat.twitch.tv. (44)
15:53:29.425381 IP (tos 0xc0, ttl 64, id 36320, offset 0, flags [none], proto ICMP (1), length 100)
    127.0.0.53 > 127.0.0.1: ICMP 127.0.0.53 udp port 53 unreachable, length 80
    IP (tos 0x0, ttl 64, id 7941, offset 0, flags [DF], proto UDP (17), length 72)
    127.0.0.1.30924 > 127.0.0.53.53: [bad udp cksum 0xfe7b -> 0xd54d!] 62506+ A? pubsub-edge.chat.twitch.tv. (44)
15:53:29.425516 IP (tos 0x0, ttl 64, id 35585, offset 0, flags [DF], proto UDP (17), length 125)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 97
15:53:29.629688 IP (tos 0x0, ttl 52, id 10573, offset 0, flags [none], proto UDP (17), length 464)
    81.92.203.124.1194 > 172.20.10.8.47449: [udp sum ok] UDP, length 436
15:53:29.629755 IP (tos 0x0, ttl 52, id 10574, offset 0, flags [none], proto UDP (17), length 464)
    81.92.203.124.1194 > 172.20.10.8.47449: [udp sum ok] UDP, length 436
15:53:29.629933 IP (tos 0x0, ttl 64, id 34983, offset 0, flags [none], proto UDP (17), length 411)
    8.8.8.8.53 > 10.8.8.160.30924: [udp sum ok] 62506 q: A? pubsub-edge.chat.twitch.tv. 8/13/0 pubsub-edge.chat.twitch.tv. [1m] A 52.11.6.102, pubsub-edge.chat.twitch.tv. [1m] A 52.24.140.239, pubsub-edge.chat.twitch.tv. [1m] A 54.69.52.53, pubsub-edge.chat.twitch.tv. [1m] A 35.164.251.222, pubsub-edge.chat.twitch.tv. [1m] A 54.191.89.45, pubsub-edge.chat.twitch.tv. [1m] A 34.211.117.51, pubsub-edge.chat.twitch.tv. [1m] A 54.148.63.30, pubsub-edge.chat.twitch.tv. [1m] A 34.217.238.243 ns: . [9m40s] NS f.root-servers.net., . [9m40s] NS b.root-servers.net., . [9m40s] NS k.root-servers.net., . [9m40s] NS c.root-servers.net., . [9m40s] NS g.root-servers.net., . [9m40s] NS m.root-servers.net., . [9m40s] NS l.root-servers.net., . [9m40s] NS e.root-servers.net., . [9m40s] NS i.root-servers.net., . [9m40s] NS h.root-servers.net., . [9m40s] NS a.root-servers.net., . [9m40s] NS d.root-servers.net., . [9m40s] NS j.root-servers.net. (383)
15:53:29.630144 IP (tos 0x0, ttl 64, id 21952, offset 0, flags [DF], proto UDP (17), length 411)
    172.20.10.8.53 > 172.20.10.2.56853: [udp sum ok] 64884 q: A? pubsub-edge.chat.twitch.tv. 8/13/0 pubsub-edge.chat.twitch.tv. [1m] A 52.11.6.102, pubsub-edge.chat.twitch.tv. [1m] A 52.24.140.239, pubsub-edge.chat.twitch.tv. [1m] A 54.69.52.53, pubsub-edge.chat.twitch.tv. [1m] A 35.164.251.222, pubsub-edge.chat.twitch.tv. [1m] A 54.191.89.45, pubsub-edge.chat.twitch.tv. [1m] A 34.211.117.51, pubsub-edge.chat.twitch.tv. [1m] A 54.148.63.30, pubsub-edge.chat.twitch.tv. [1m] A 34.217.238.243 ns: . [9m40s] NS f.root-servers.net., . [9m40s] NS b.root-servers.net., . [9m40s] NS k.root-servers.net., . [9m40s] NS c.root-servers.net., . [9m40s] NS g.root-servers.net., . [9m40s] NS m.root-servers.net., . [9m40s] NS l.root-servers.net., . [9m40s] NS e.root-servers.net., . [9m40s] NS i.root-servers.net., . [9m40s] NS h.root-servers.net., . [9m40s] NS a.root-servers.net., . [9m40s] NS d.root-servers.net., . [9m40s] NS j.root-servers.net. (383)
15:53:29.630517 IP (tos 0x0, ttl 64, id 51541, offset 0, flags [none], proto ICMP (1), length 56)
    172.20.10.2 > 172.20.10.8: ICMP 172.20.10.2 udp port 56853 unreachable, length 36
    IP (tos 0x0, ttl 64, id 21952, offset 0, flags [DF], proto UDP (17), length 411)
    172.20.10.8.53 > 172.20.10.2.56853: [no cksum] [|domain]
15:53:29.630764 IP (tos 0x0, ttl 64, id 34984, offset 0, flags [none], proto UDP (17), length 411)
    8.8.4.4.53 > 10.8.8.160.30924: [udp sum ok] 62506 q: A? pubsub-edge.chat.twitch.tv. 8/13/0 pubsub-edge.chat.twitch.tv. [1m] A 52.24.140.239, pubsub-edge.chat.twitch.tv. [1m] A 34.217.238.243, pubsub-edge.chat.twitch.tv. [1m] A 35.164.251.222, pubsub-edge.chat.twitch.tv. [1m] A 54.69.52.53, pubsub-edge.chat.twitch.tv. [1m] A 54.191.89.45, pubsub-edge.chat.twitch.tv. [1m] A 52.11.6.102, pubsub-edge.chat.twitch.tv. [1m] A 54.148.63.30, pubsub-edge.chat.twitch.tv. [1m] A 34.211.117.51 ns: . [9m40s] NS c.root-servers.net., . [9m40s] NS l.root-servers.net., . [9m40s] NS b.root-servers.net., . [9m40s] NS i.root-servers.net., . [9m40s] NS k.root-servers.net., . [9m40s] NS f.root-servers.net., . [9m40s] NS g.root-servers.net., . [9m40s] NS d.root-servers.net., . [9m40s] NS e.root-servers.net., . [9m40s] NS j.root-servers.net., . [9m40s] NS a.root-servers.net., . [9m40s] NS m.root-servers.net., . [9m40s] NS h.root-servers.net. (383)
15:53:29.630777 IP (tos 0xc0, ttl 64, id 30431, offset 0, flags [none], proto ICMP (1), length 439)
    10.8.8.160 > 8.8.4.4: ICMP 10.8.8.160 udp port 30924 unreachable, length 419
    IP (tos 0x0, ttl 64, id 34984, offset 0, flags [none], proto UDP (17), length 411)
    8.8.4.4.53 > 10.8.8.160.30924: [udp sum ok] 62506 q: A? pubsub-edge.chat.twitch.tv. 8/13/0 pubsub-edge.chat.twitch.tv. [1m] A 52.24.140.239, pubsub-edge.chat.twitch.tv. [1m] A 34.217.238.243, pubsub-edge.chat.twitch.tv. [1m] A 35.164.251.222, pubsub-edge.chat.twitch.tv. [1m] A 54.69.52.53, pubsub-edge.chat.twitch.tv. [1m] A 54.191.89.45, pubsub-edge.chat.twitch.tv. [1m] A 52.11.6.102, pubsub-edge.chat.twitch.tv. [1m] A 54.148.63.30, pubsub-edge.chat.twitch.tv. [1m] A 34.211.117.51 ns: . [9m40s] NS c.root-servers.net., . [9m40s] NS l.root-servers.net., . [9m40s] NS b.root-servers.net., . [9m40s] NS i.root-servers.net., . [9m40s] NS k.root-servers.net., . [9m40s] NS f.root-servers.net., . [9m40s] NS g.root-servers.net., . [9m40s] NS d.root-servers.net., . [9m40s] NS e.root-servers.net., . [9m40s] NS j.root-servers.net., . [9m40s] NS a.root-servers.net., . [9m40s] NS m.root-servers.net., . [9m40s] NS h.root-servers.net. (383)
15:53:29.630789 IP (tos 0x0, ttl 64, id 35601, offset 0, flags [DF], proto UDP (17), length 492)
    172.20.10.8.47449 > 81.92.203.124.1194: [udp sum ok] UDP, length 464
15:53:30.424622 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [F.], cksum 0x944d (correct), seq 518, ack 1, win 4117, options [nop,nop,TS val 801417158 ecr 2046819103], length 0
15:53:30.425122 IP (tos 0x0, ttl 64, id 93, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.8.443 > 172.20.10.2.50311: Flags [F.], cksum 0x8ab2 (correct), seq 1, ack 519, win 235, options [nop,nop,TS val 2046825443 ecr 801417158], length 0
15:53:30.425935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.20.10.2.50311 > 172.20.10.8.443: Flags [.], cksum 0x7b87 (correct), seq 519, ack 2, win 4117, options [nop,nop,TS val 801417159 ecr 2046825443], length 0
oldium commented 6 years ago

I guess that the second attempt succeeded - the difference is the order of responses. First attempt got AAAA (no IPv6 address) and then A response (with IPv4 address), while the second one is first A (with IPv4 address) and then AAAA (no IPv6 address).

From the timeouts it looks like the second response could be ignored, but the current code looks good to me.