Diameter Signaling Router (DSR) : How To Determine if Domain Name System (DNS) Port 53 is Open Between DSR Servers

Asset ID:	1-71-2357530.1
Update Date:	2018-02-07
Keywords:

Solution Type Technical Instruction Sure

Solution 2357530.1 : Diameter Signaling Router (DSR) : How To Determine if Domain Name System (DNS) Port 53 is Open Between DSR Servers

Applies to:

Oracle Communications Diameter Signaling Router (DSR) - Version DSR 7.1.0 to DSR 8.1.1 [Release DSR 7.0 to DSR 8.0]
Tekelec
<

Goal

When preparing for a software upgrade or preparing to execute 'Accept Upgrade' step at the conclusion of software upgrade activities on the Oracle Communications Diameter Signaling Router (DSR) [and/or Subscriber Data Server (SDS) for Full Address Based Resolution (FABR)], it is important to ensure that Domain Name Server (DNS) traffic can traverse between and among all servers in a DSR system.

DNS traffic is used to resolve hostname-to-IP Addressing, and traverses IP networks using port 53 on both TCP and UDP. For DSR release 7.1 and above, hostname resolution is achieved exclusively using DNS. Therefore, software upgrades that come from a release prior to DSR 7.1 and upgrade to release 7.1 or later will encounter problems if hostname resolution via DNS is not successful.

Solution

Network equipment such as firewall appliances, routing & switching gear enforcing access lists, or even kernel based iptables can filter DNS traffic. Although such screens are most likely to be found between equipment pairs that are geographically separated (i.e. NOAM and SOAM), it is recommended to check between co-located servers within and among the DSR network.

Preparing for Software Upgrade to or beyond DSR 7.1:

Example terms:
   localServer = any server
   remoteServer = target server, typically SOAM or NOAM
   remoteServer_IP = target server's IP address, example 10.x.x.x

Command syntax:

nmap -p 53 remoteServer_IP

At this stage, DNS is not operating on the endpoint servers since they are not yet upgraded to/beyond release 7.1 so a warning will be issued regarding reverse DNS. This warning can be ignored. The STATE parameter is the most important.

Example command along with example output:

[admusr@localServer ~]$ nmap -p 53 10.x.x.x

Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-05 16:40 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for remoteServer (10.x.x.x)
Host is up (0.000091s latency).
PORT STATE SERVICE
53/tcp closed domain

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
[admusr@localServer ~]$

STATE above indicates 'closed' which means the specified port (in our case, 53) on the remote server has no application listening on it.
This is normal and typical for DSR if not yet upgraded to 7.1 or later release that uses DNS. The query was otherwise successful.
If STATE in the nmap output includes the word 'filtered' (alone or paired with 'open' or 'closed') then a firewall is in place somewhere along the path between servers and must be located and corrected to allow DNS traversal.

Preparing for 'Accept Upgrade' step at conclusion of DSR upgrade to 7.1 or later software:

Upon 'Accept Upgrade' activity, the hostname-to-IP resolution will be conducted exclusively by DNS. Server communication over DNS should be checked/verified prior to 'Accept Upgrade.'

Command syntax (same as before):

nmap -p 53 remoteServer_IP

Example command along with example output:

[admusr@localServer ~]$ nmap -p 53 10.x.x.x

Starting Nmap 5.51 ( http://nmap.org ) at 2018-02-05 16:59 EST
Nmap scan report for remoteServer.platform.cgbu.us.oracle.com (10.75.56.43)
Host is up (0.000035s latency).
PORT STATE SERVICE
53/tcp open domain

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

[admusr@localServer ~]$

STATE above indicates 'open' which means the application on that target server is listening for packets on that port (53) and within the network DNS is not blocked for TCP.
If STATE in the nmap output includes the word 'filtered' (alone or paired with 'open' or 'closed') then a firewall is in place somewhere along the path between servers and must be located and corrected to allow DNS traversal.

Oracle recommends checking DNS communications both prior to beginning a DSR software upgrade and again just prior to accepting the upgrade to verify that DNS communication is available.

Notes:
1. Utility "nmap" is helpful but does not provide full certainty that DNS will be unimpeded. The utility is dependent on several factors and is focused on TCP. Successful DNS traversal requires both TCP and UDP port 53 to be open and available between servers. It is the operator's responsibility to ensure that all pathways between and among DSR servers are able to carry DNS traffic successfully.
2. The most important paths are C-level servers (MP, IPFE, etc.) to the local SOAM servers (including remote SOAM spares, if applicable) and between & among local SOAM servers to all NOAM servers (active, standby, and any 'disaster recovery' NOAM servers). All pathways normally utilized between and among servers will need to use DNS, although verifying a subset of each pathway type may be sufficient.

Applies to:

Oracle Communications Diameter Signaling Router (DSR) - Version DSR 7.1.0 and later

Attachments

This solution has no attachment