query source oddity
Jim Reid
jim at rfc1035.com
Fri Dec 17 21:02:21 UTC 1999
>>>>> "Daniel" == Daniel Baird <daniel at optus.net.au> writes:
Daniel> 192.65.x.x is my home server running 8.2.2-P5 WITHOUT the
Daniel> query source directive 202.139.x.x is a name server
Daniel> running 8.2.2-P5 WITH the query source directive
Daniel> [query from 192.65.x.x to 202.139.x.x]
Daniel> 192.65.x.x.1083 > 202.139.x.x.domain: 22516+ (45)
Daniel> 202.139.x.x.domain > 192.65.x.x.1083: 22516* 1/3/3 (259) (DF)
Daniel> 192.65.x.x.1083 >202.139.x.x.domain: 63672+ (44)
Daniel> 202.139.x.x.domain > 192.65.x.x.1083: 63672* 1/4/4 (249) (DF)
Daniel> 192.65.x.x.1083 > 202.139.x.x.domain: 45154+ (44)
Daniel> 202.139.x.x.domain >192.65.x.x.1083: 45154* 1/2/2 (180) (DF)
Daniel> [query from 202.139.x.x to 192.65.x.x]
Daniel> 202.139.x.x.domain > 192.65.x.x.domain: 40059 SOA? tristre.com. (29) (DF)
Daniel> 192.65.x.x.domain > 202.139.x.x.domain: 40059* 1/2/2 (167)
The above tcpdump output is consistent with what you've outlined. We
first see queries from some random non-privileged port (1083 in this
case) on 192.65.x.x to 202.139.x.x. [Why hide the addresses?] These
have to go to port 53 on that server obviously. Since 192.65.x.x isn't
using the query-source option, its queries will be sent from a random
non-prvileged port number. Each query is followed by a reply from
202.139.x.x to 192.65.x.x. For each reply, the destination and source
addresses and port numbers get swapped. This is how it should be.
The second case shows a query from 202.139.x.x - this time using port
53 - to the name server on 192.65.x.x. This time the outgoing query
uses port 53 because that's what you've configured the name server on
202.139.x.x to do through the query-source clause.
What do you think is wrong? Could you be thinking that the replies
from the other name server are queries?
The second tcpdump output is a little more helpful. "SOA? tristre.com"
indicates that 202.139.x.x asked for the SOA record for that domain.
That query had a query ID of 40059. The "1/2/2" shows that the reply
contained 1 RR in the answer section, 2 in the authority section and 2
in the additional information section. Presumably these are the
zone's SOA record, its 2 NS records and the IP addresses of those name
servers respectively. The (DF) indicates that the Don't Fragment bit
was sent in the packets - it always is in DNS queries. IIRC the number
in parentheses is the query or reply length.
More information about the bind-users
mailing list