Date: Tue, 28 Jan 2003 16:11:51 +0100 From: Mark <admin@asarian-host.net> To: "Matthew Seaman" <m.seaman@infracaninophile.co.uk>, <freebsd-questions@freebsd.org> Subject: Re: How to stop BIND from using high ports? Message-ID: <200301281512.H0SFC1991673@asarian-host.net> References: <200301281029.H0SATM937146@asarian-host.net> <20030128125210.GB20406@happy-idiot-talk.infracaninophi>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Matthew Seaman" <m.seaman@infracaninophile.co.uk>
To: <freebsd-questions@FreeBSD.ORG>
Sent: Tuesday, January 28, 2003 1:52 PM
Subject: Re: How to stop BIND from using high ports?
> On Tue, Jan 28, 2003 at 11:29:28AM +0100, Mark wrote:
>
> > I am having a bit of a problem. One might say, a serious problem. :(
> > When other servers query my name servers, they send queries with a
> > source port of 53; but apparently my BIND (8.3.4) is responding from
> > a high port (seemingly random). And this is causing some trouble. :(
> > How can I prevent that??
> >
> >In my "options" section I have
> >
> > query-source address * port 53;
Hi Matthew,
Yours was a very useful reply. :) I truly appreciate your time and effort
here. And your dynamic rules were equally useful.
> Looks right to me. You might also want to investigate:
>
> transfer-source 81.2.69.218 port 53;
> notify-source 81.2.69.218 port 53;
>
> if you have off-site secondaries. Check that the syntax is correct
> for Bind8 --- I just copied that out of my Bind9 config.
I don't think you can specify a port for "transfer-source" in BIND 8.x, but
as I only allow XFRs from trusted parties, this should not be an issue, I
think.
> > But my log is filled with entries like these:
> >
> > Accept UDP 10.0.0.2:53 146.18.16.248:53 out via rl0
> > Accept UDP 10.0.0.2:53 15.251.160.31:32852 out via rl0
> > Accept UDP 10.0.0.2:53 15.251.160.31:32852 out via rl0
> >
> > Which seems to suggest that for outgoing UDP a random high port is
> > being used. :( And I do not understand why. :(
> I assume that 10.0.0.2 is the IP number of your DNS machine.
Yes.
> Then it would appear to be doing exactly what it's been told to. All the
> replies it sends have the source IP address of the machine and the
> *source* port 53.
You know what? You are absolutely right. :) I guess I read it wrong, in my
panic (kernel is not the only one prone to panic attacks).
Problem is, an ISP in Australia cannot resolve me; and, as I wrote the
admin, he responded:
"Our name servers are configured to send queries with a source port of 53 ..
but when we do so, you respond from a high port? ... I suspect that bind is
throwing away your replies because they don't match the expected response
ip/port combination."
I tried to resolve my domain name via their name server
("ns1.optusnet.com.au" = 203.2.75.2), and, indeed, that fails. He gave me
the following log entries, though:
--[ with src port = 53 ]--------
15:33:03.472128 210.49.20.142.domain > 194.109.160.70.domain: [udp sum ok]
6636 A? asarian-host.net. [|domain] (ttl 64, id 13043, len 62)
15:33:03.802488 194.109.160.70.34336 > 210.49.20.142.domain: 6636*- q: A?
Here it seems my BIND is indeed replying with a source port of 34336. Very
peculiar. I have no idea how this is possible. :(
Again, thank you for your time and energy. If you have any more bright
ideas, not meant sarcastically, be sure to tell me. :)
- Mark
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301281512.H0SFC1991673>