dig doesn't respect "query-source address * port 53;"
Barry Margolin
barmar at bbnplanet.com
Mon Nov 1 15:44:26 UTC 1999
In article <19991101134634.WSN5192.mail.rdc1.il.home.com at mercury.snydernet.lan>,
Steve Snyder <swsnyder at home.com> wrote:
>Using BIND v8.2.1 on my Linux v2.2.x system, I've configured my
>nameserver to only use port 53 (for the sake of firewall security)
>with:
>
> query-source address * port 53;
>
>Everything has been running great with this configuration until today,
>when I attempted to update the root namesever list with the dig
>(domain information groper) utility:
>
> dig @a.root-servers.net . ns > db.cache
>
>Perusing the system log shows that an outbound packet was rejected by
>my (ipchains) firewall. It seems that dig sent that packet from a
>high port number, not from port 53.
named.conf only affects named.
>The dig documentation shows that a port number may be specified as the
>*destination* port, but I see no indication that the source port can
>be set.
>
>Is there any way to have dig respect my desire to use only port 53 for
>DNS traffic?
No. In fact, if named is listening on port 53, dig would find that the
port is already in use, so it wouldn't be able to use it even if there were
such a parameter.
Why don't you just FTP the root server list? You don't even need to do
this very often, as the first thing that named does when it starts up is
the above query, and it uses that information internally. The db.cache
file is just used to prime the information needed for this query.
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list