Problem with query-source
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Wed Jan 3 23:49:34 UTC 2001
I would suggest looking at the logs on this machine and verifying
that named loaded cleanly without reporting any errors.
I would also be looking at the firewall configuration as it is
dumb to allow out a packet that you don't allow the answer to
back in.
Mark
>
> I am using RedHat Linux 7.0, bind 8.2.2 P7. My main (external) DNS is on
> my firewall.
>
> I have the following in my /etc/named.conf:
>
> options {
> directory "/var/named";
> pid-file "/var/named/named.pid";
> allow-query { 10.0.0.0/8 };
> allow-transfer { 10.0.0.0/8 };
> allow-recursion { 10.0.0.0/8 };
> query-source address 216.220.99.3 port 53;
> };
>
> As far as I can tell, this should result in my DNS server ONLY sending
> requests from port 53. However I keep getting entries in my firewall
> (ipchains) log similar to the following:
>
> Jan 3 12:32:55 firewall kernel: Packet log: output ACCEPT eth0 PROTO=17
> 216.220.99.3:61000 198.41.0.10:53 L=71 S=0x00 I=27968 F=0x0000 T=63 (#1)
> Jan 3 12:32:55 firewall kernel: Packet log: input DENY eth0 PROTO=17
> 198.41.0.10:53 216.220.99.3:61000 L=379 S=0x00 I=34 F=0x4000 T=246 (#13)
>
> What this basically says is that my DNS server is sending from a high
> port, in this case 61000, through udp. These high ports vary, they are
> rarely the same. I have also noticed that this seems to happen mostly
> with root servers.
>
> I have also tried using "query-source address * port 53;". No
> difference.
>
> Am I misunderstanding the intended use of query-source, or is there
> something else I need to be doing here? It is not easy for me to allow
> random high ports and still keep good security.
>
> Any clues appreciated, and if more information is needed then I can
> supply it. BTW, I also have an internal DNS server inside the firewall,
> which uses the firewall as a forwarder. I don't think that should matter
> here though, since the packets in question are coming from the firewall
> itself.
>
> TIA,
>
> -Neil Gunton
> NilSpace Inc
> New York
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list