NAT networking corrupts EDNS0 packets

[Zbynek Michl]

Hello,

I have VirtualBox running on Linux, host is Debian, guest Ubuntu and NAT network adapter. When I try to ask my DNS resolver with EDNS0, reply packet from resolver is corrupted in some cases (when packet is larger than cca 1500 bytes). Bridge networking works correctly.

dig answer using NAT:

$ dig +edns=0 nic.cz ANY @217.31.204.130
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.7.0-P1 <<>> +edns=0 nic.cz ANY @217.31.204.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8960
;; flags: qr rd ra; QUERY: 1, ANSWER: 23, AUTHORITY: 0, ADDITIONAL: 8
;; WARNING: Messages has 10 extra bytes at end

;; QUESTION SECTION:
;nic.cz.				IN	ANY

;; ANSWER SECTION:
nic.cz.			108	IN	SOA	a.ns.nic.cz. hostmaster.nic.cz. 1288922585 10800 3600 1209600 7200
nic.cz.			108	IN	RRSIG	SOA 5 2 1800 20101119010305 20101105010305 60479 nic.cz. TrF9zVN9n5SXMNOt1uPivtG4NVpnQZWRQxoT94GEGhP61Z8fdt3cDTw3 RRg1aXBVFEk2E/N6aa5iR93B9FMdPvQq0UVrZhEW/uHEac/d731ayD7G XxiTsA4caTAIN0t6MbL8SnodK73Sm+5eGTi0Hv79pxHLc/gCt1oZMxKQ u+A=
nic.cz.			1667	IN	NS	a.ns.nic.cz.
nic.cz.			1667	IN	NS	b.ns.nic.cz.
nic.cz.			1667	IN	NS	d.ns.nic.cz.
nic.cz.			1667	IN	RRSIG	NS 5 2 1800 20101119010305 20101105010305 60479 nic.cz. kAE79XWQUML3NB6WW/1+H2pA68matuhhfITNlpIwBh96Z78pCQZxC0x/ CM4a9aQUm+RG+V+vfQqd41GXXRxE7RfYqj8cEEnJI3SmFmQuLmVCrRZH m2/oWD5KvGCoWgo5QYnZgJWpkESRgDyD75jRbryW3AMAHQupg3FiEivV fn4=
nic.cz.			749	IN	A	217.31.205.50
nic.cz.			749	IN	RRSIG	A 5 2 1800 20101119010305 20101105010305 60479 nic.cz. d1KmnlwB+j9F63h1w7YceU3cCXCq+7/0ePTVqXLOgcREBPaT9jUz7ypd zx9rTxkbuWXZ+R177+IhXOxWoyLz4be/8UAesOiiRp0Sh8JF0qlAEE1n zj70RjW/B8AvtCyU4m7hh0/gULpsV767ikHhLM6GT4LIKfZAuvO1qJk4 2uA=
nic.cz.			749	IN	MX	10 mail.nic.cz.
nic.cz.			749	IN	MX	15 mail4.nic.cz.
nic.cz.			749	IN	MX	20 mx.cznic.org.
nic.cz.			749	IN	MX	30 bh.nic.cz.
nic.cz.			749	IN	RRSIG	MX 5 2 1800 20101119010305 20101105010305 60479 nic.cz. E4P3OpDV0YVK1oAQqVwvBhQQGIkD5BIvdBF/ehMJeOkB790OfOlFf9KP F8tlQuzdhMbFVk4y1FqnB0+LLtKnkpEVZGf62ykElZ0itLvBEiuTmQ9l TyRw6aOqNNfzEKirYVPxdq4dPbp6Wg8uAqLVEQgXebT0AQZuH6ond21F cuE=
nic.cz.			749	IN	AAAA	2001:1488:0:3::2
nic.cz.			749	IN	RRSIG	AAAA 5 2 1800 20101119010305 20101105010305 60479 nic.cz. R4JRLPzyf9Rv2iZojLBn3AWRCgtIZO1HpA1lWQMs9kMDf6qyGEax+09V 432eh2/ltacVRy+a4aAdlLS8ppxhuIogAlh4uNZQIgimX0c5OqK1UpMk Ii/dZu609Ba9Ydh8ARhdN63gQGmiLbl0bTd0GsfCWJdGTYwlmS7bbU9Q eEw=
nic.cz.			7173	IN	NSEC	6to4.nic.cz. A NS SOA MX AAAA RRSIG NSEC DNSKEY
nic.cz.			7173	IN	RRSIG	NSEC 5 2 7200 20101119010305 20101105010305 60479 nic.cz. CYGrCVtYRj6XJVgmg2TpuTnxZAJ2kqianoudzKSJEBl+ZmMKyyKwuzdI UHjqIX5tLgrDIhzrgk/y6cqWeslJtTpJZCdqN53CN2yXTqMFG1ygQKFK /S3tN4anUp1BZPI98NpJe0gJOK+H+PUu+AULKMV26QyqHMoYB9rZPVPC wyg=
nic.cz.			2549	IN	DNSKEY	256 3 5 BQEAAAABngr4fPoI01A+Rlcz0o9pNj0rHnK1b5A6ODrmYIX2hKkCkw8c vCNC5QAkhw3v8CN61TJBdbKeO++sxDPr59J86TIWIvXNNX9Sp4OJ756T Wo4nD344rf+pQjOFWrlasrPZwz/tdgVlJLI3bc+izxGmGD3gJX1rVhOF VnqfYMp4jos=

;; Query time: 2 msec
;; SERVER: 217.31.204.130#53(217.31.204.130)
;; WHEN: Wed Nov 10 12:46:19 2010
;; MSG SIZE  rcvd: 1458

dig answer using bridge networking (packet is OK):

$ dig +edns=0 nic.cz ANY @217.31.204.130

; <<>> DiG 9.7.0-P1 <<>> +edns=0 nic.cz ANY @217.31.204.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46077
;; flags: qr rd ra; QUERY: 1, ANSWER: 23, AUTHORITY: 0, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nic.cz.				IN	ANY

;; ANSWER SECTION:
nic.cz.			1800	IN	SOA	a.ns.nic.cz. hostmaster.nic.cz. 1288922585 10800 3600 1209600 7200
nic.cz.			1800	IN	RRSIG	SOA 5 2 1800 20101119010305 20101105010305 60479 nic.cz. TrF9zVN9n5SXMNOt1uPivtG4NVpnQZWRQxoT94GEGhP61Z8fdt3cDTw3 RRg1aXBVFEk2E/N6aa5iR93B9FMdPvQq0UVrZhEW/uHEac/d731ayD7G XxiTsA4caTAIN0t6MbL8SnodK73Sm+5eGTi0Hv79pxHLc/gCt1oZMxKQ u+A=
nic.cz.			1800	IN	NS	b.ns.nic.cz.
nic.cz.			1800	IN	NS	a.ns.nic.cz.
nic.cz.			1800	IN	NS	d.ns.nic.cz.
nic.cz.			1800	IN	RRSIG	NS 5 2 1800 20101119010305 20101105010305 60479 nic.cz. kAE79XWQUML3NB6WW/1+H2pA68matuhhfITNlpIwBh96Z78pCQZxC0x/ CM4a9aQUm+RG+V+vfQqd41GXXRxE7RfYqj8cEEnJI3SmFmQuLmVCrRZH m2/oWD5KvGCoWgo5QYnZgJWpkESRgDyD75jRbryW3AMAHQupg3FiEivV fn4=
nic.cz.			1800	IN	A	217.31.205.50
nic.cz.			1800	IN	RRSIG	A 5 2 1800 20101119010305 20101105010305 60479 nic.cz. d1KmnlwB+j9F63h1w7YceU3cCXCq+7/0ePTVqXLOgcREBPaT9jUz7ypd zx9rTxkbuWXZ+R177+IhXOxWoyLz4be/8UAesOiiRp0Sh8JF0qlAEE1n zj70RjW/B8AvtCyU4m7hh0/gULpsV767ikHhLM6GT4LIKfZAuvO1qJk4 2uA=
nic.cz.			1800	IN	MX	10 mail.nic.cz.
nic.cz.			1800	IN	MX	15 mail4.nic.cz.
nic.cz.			1800	IN	MX	20 mx.cznic.org.
nic.cz.			1800	IN	MX	30 bh.nic.cz.
nic.cz.			1800	IN	RRSIG	MX 5 2 1800 20101119010305 20101105010305 60479 nic.cz. E4P3OpDV0YVK1oAQqVwvBhQQGIkD5BIvdBF/ehMJeOkB790OfOlFf9KP F8tlQuzdhMbFVk4y1FqnB0+LLtKnkpEVZGf62ykElZ0itLvBEiuTmQ9l TyRw6aOqNNfzEKirYVPxdq4dPbp6Wg8uAqLVEQgXebT0AQZuH6ond21F cuE=
nic.cz.			1800	IN	AAAA	2001:1488:0:3::2
nic.cz.			1800	IN	RRSIG	AAAA 5 2 1800 20101119010305 20101105010305 60479 nic.cz. R4JRLPzyf9Rv2iZojLBn3AWRCgtIZO1HpA1lWQMs9kMDf6qyGEax+09V 432eh2/ltacVRy+a4aAdlLS8ppxhuIogAlh4uNZQIgimX0c5OqK1UpMk Ii/dZu609Ba9Ydh8ARhdN63gQGmiLbl0bTd0GsfCWJdGTYwlmS7bbU9Q eEw=
nic.cz.			7200	IN	NSEC	6to4.nic.cz. A NS SOA MX AAAA RRSIG NSEC DNSKEY
nic.cz.			7200	IN	RRSIG	NSEC 5 2 7200 20101119010305 20101105010305 60479 nic.cz. CYGrCVtYRj6XJVgmg2TpuTnxZAJ2kqianoudzKSJEBl+ZmMKyyKwuzdI UHjqIX5tLgrDIhzrgk/y6cqWeslJtTpJZCdqN53CN2yXTqMFG1ygQKFK /S3tN4anUp1BZPI98NpJe0gJOK+H+PUu+AULKMV26QyqHMoYB9rZPVPC wyg=
nic.cz.			3600	IN	DNSKEY	257 3 5 BQEAAAABt3LenoCVTV0okqKYPDnnVJqvwCD9MKJNXg8fcOCdLQYncyoe hpwM5RK2UkZDcDxWkMo7yMa35ej+Mhpaji9si4xXD+Syl4Q06LFiFkdN /5GlVlrIdE3GW7zC7Z4sS14Vz8FbYfcRmhsh19Ob718jGZneGfw2UPbv kyxUR8wD7mguZn02fQ6tjj/Ktp4uSW9tpz3bjGMo2rX+iZk4xgbPaesA OlR/AaHdatGZsWC9CPon8mnLZeu6czm8CBDgBmnf3PE8c5+uyWj1Pw4p p0VQmnX5UrnuGpErg7qXhJm7wY2CRVRMcLX3zmjVWXW1uT9JFh2G+/pZ zxnASfKKltZpuw==
nic.cz.			3600	IN	DNSKEY	256 3 5 BQEAAAABngr4fPoI01A+Rlcz0o9pNj0rHnK1b5A6ODrmYIX2hKkCkw8c vCNC5QAkhw3v8CN61TJBdbKeO++sxDPr59J86TIWIvXNNX9Sp4OJ756T Wo4nD344rf+pQjOFWrlasrPZwz/tdgVlJLI3bc+izxGmGD3gJX1rVhOF VnqfYMp4jos=
nic.cz.			3600	IN	DNSKEY	257 3 5 AwEAAcNkfvS/b/+0Du0eVViVBnxb5Rt2jDAiv+NLqX53ka03NbYiq2Rv c7IZ+zhfo40PwDCIuJ7/CMXvOkkX7GAnC5CQWZ4jGoA//xtxJ/HIAFkf ThmK5oQqAsdtgjFliRo1QFsXLMbqQlyc0H5xT5Vqlh72U0JlRJUnYtVe F4AThcvwpUI0Rqwt4l80iDwFxes04c1AcBJZKigFX9hlcQi/LyEFOSb+ QP6+K/d/A+p2JydozxV+dRqHIl0oH/hU0FJy9U3VW50yUsPHWeeAdbCJ c+GWSpiGtFIsikTZYzZOWzHt5yiGRlOw1TU9gsl0mjcEM+GZxomPijbV jN2+d9r4Hgc=
nic.cz.			3600	IN	RRSIG	DNSKEY 5 2 3600 20101119010305 20101105010305 27979 nic.cz. Q3QgfuTgPzcY1FdtkZ7nL1nDPbTd+LWJ+PPjqQlZNCF+BVHf8W3rfzN5 hhf8JEx+ewlmZNoDtIE0OZ2Ua838RKb79EqJgZGjVoLFEA7JoI54dX+y exRvrt1l/XMXOwCOK4ItdGdfAQ7+U2qrXHQ7azY1FcrNUqMK62bNUQgn 3HKYP57fYTeX8kg2RNZxJmJwCnEvxxL4l5yT1LaTaYfhPWPqXS0hiG1z eIEpXbfKZTWVFEmQWi7AEKch/Uux1YL5fVdov/L8KHlQHVF6/YRqOp6e eYLln3GttDbqzQ2b1p5Drs2xrDWltmqWXT9bv4zEuLbIAhpbxRM9c6iq sBRXCw==
nic.cz.			3600	IN	RRSIG	DNSKEY 5 2 3600 20101119010305 20101105010305 59916 nic.cz. QSRvNDGapwSC5y8m8liJjK0IFASV21kC8VqVYjanzerlEqrQ2hLvHqpF X37VjZ36Rvti22EnwCSVneuxy9qstenI11S2Og98E86x35lwXcxk+ze6 JmMvr24khI0XYFNlgYi5OZ47ugPibADD8rdxD9JG8LA3C5wifc+UO2lq wyOTv8MUwFHqazsLHN2/hMDznkCnldPWbyLXHtYsUFMVWX14nuDCevAU heqJDW7nKjeV8AfCpBrY7TZcPR1lIktlq+VIOO4OSSU0SqqI4mXZiG5O 9CE8u/XOfFk93z7iupkP6ktL0LyDOM9cGiY36y6n9r9KwSdxe8iP5g4T 7sy/Lw==
nic.cz.			3600	IN	RRSIG	DNSKEY 5 2 3600 20101119010305 20101105010305 60479 nic.cz. UAwYv6Uz8UW+jpJ2Rq3pkAp2Tmh+uKte25EtxIGlMI6UKY78LwOYQsL4 ODUmb0xHa9Ut2yCCCykdZKswsIFCc8j6gzlBIrPSBzXu34w49fzNUdnh KaPmlbhnhTbQa505hjXv6fEjf8rhNnHyDFcc2h+XJ2/q8NiU5BnEDTXi +ec=

;; ADDITIONAL SECTION:
a.ns.nic.cz.		1800	IN	A	194.0.12.1
a.ns.nic.cz.		1800	IN	AAAA	2001:678:f::1
b.ns.nic.cz.		1800	IN	A	194.0.13.1
b.ns.nic.cz.		1800	IN	AAAA	2001:678:10::1
d.ns.nic.cz.		1800	IN	A	193.29.206.1
d.ns.nic.cz.		1800	IN	AAAA	2001:678:1::1

;; Query time: 13 msec
;; SERVER: 217.31.204.130#53(217.31.204.130)
;; WHEN: Wed Nov 10 12:49:03 2010
;; MSG SIZE  rcvd: 2887

I am attaching files with captured network traffic (both NAT and bridge).

Regards,
Zbynek