error sending response log messages

Mark Andrews Mark_Andrews at isc.org
Tue Jan 27 21:42:53 UTC 2009 

In message <497F2CFE.8070707 at yahoo.com>, Andre LeClaire writes:
> Mark Andrews wrote:
> > In message <497CAEF2.80806 at yahoo.com>, Andre LeClaire writes:
> >> Hello everyone,
> >> I've been seeing these syslog messages for about a week on a FreeBSD 
> >> server running BIND 9.4.3-P1:
> >>
> >> Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error 
> >> sending response: permission denied
> >> Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error 
> >> sending response: permission denied
> >> Jan 25 04:49:59 asimov named[145]: client 206.71.158.30#139: error 
> >> sending response: permission denied
> >> Jan 25 05:15:40 asimov named[145]: client 66.230.160.1#139: error 
> >> sending response: permission denied
> >> Jan 25 07:45:11 asimov named[145]: client 206.71.158.30#139: error 
> >> sending response: permission denied
> >> Jan 25 07:56:26 asimov named[145]: client 206.71.158.30#138: error 
> >> sending response: permission denied
> >> Jan 25 08:10:29 asimov named[145]: client 206.71.158.30#138: error 
> >> sending response: permission denied
> >> Jan 25 08:54:34 asimov named[145]: client 206.71.158.30#138: error 
> >> sending response: permission denied
> >> Jan 25 09:16:41 asimov named[145]: client 206.71.158.30#138: error 
> >> sending response: permission denied
> >> Jan 25 10:03:51 asimov named[145]: client 206.71.158.30#445: error 
> >> sending response: permission denied
> >>
> >> Ports 135-139 and 445 are denied by the firewall on the outside 
> >> interface.
> > 
> > 	Why do you care about what port you are sending to?  Just
> > 	allow named to send its replies.
> > 
> 
> Ports 135-139 and 445 are blocked on the outside interface to protect 
> the Windows networks on the inside, which use those ports, from the 
> savage Internet.

	To do that you block traffic to these ports in bound.

	You are blocking reply traffic out bound that you have allow
	the in bound query to.

> Are you saying that it's normal for named to send replies on those ports?
> Also, the server has been up for over 3 years with no problems, and 
> these errors just started happening last week.

	I would expect that there is a nameserver which is picking
	a random source ort between 0 and 65535 rather than 1024
	and 65535 to send its queries from.

	If you are really worried use tcpdump (or similar) to look
	at these incoming queries to see if they are well formed
	DNS queries first.

	Mark

> Andre
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list