Root server DNS traffic across Linux/ipchains firewall?

Thu Oct 21 04:12:11 UTC 1999

I'm setting up a firewall on my Linux box.  This machine is running 
Linux kernel v2.2.13 and BIND v8.2.1.  For some reason I'm getting 
output from my box to root nameservers on a high port number.  Can 
anyone explain this?  

My intent is to ensure that all traffic goes through specific ports, so 
I configured named and set the ipchains rules appropriately.  Here's a 
fragment of my /etc/named.conf (note the use of port 53): 

options {
        directory "/var/named/snydernet";
        transfer-format many-answers;
        query-source address * port 53;
        allow-query { 127.0.0.1; 192.168.0/24;};
        listen-on { 127.0.0.1; 192.168.0.12; };
        forward first;
        forwarders { 24.4.162.33; 24.4.162.34; };
};

and the rules for accepting DNS traffic (again, note use of port 53):

  for NAMESERVER in 24.4.162.33 24.4.162.34 ; do
    ipchains -A input  -i $EXTRN_IFACE -p udp \
             -s $NAMESERVER 53 -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTRN_IFACE -p udp \
             -s $IPADDR 53 -d $NAMESERVER 53 -j ACCEPT

    ipchains -A input  -i $EXTRN_IFACE -p tcp ! -y \
             -s $NAMESERVER 53 -d $IPADDR 53 -j ACCEPT

    ipchains -A output -i $EXTRN_IFACE -p tcp \
             -s $IPADDR 53 -d $NAMESERVER 53 -j ACCEPT
  done

Below is the outbound traffic I'm seeing.  My IP address is 
111.222.333.444 and the other addresses are all root name servers.  I 
get 1 log entry each 4 seconds.  

Oct 20 18:29:29 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 198.41.0.10:53 L=45 S=0x00 I=8103 F=0x0000 T=63 (#57)
Oct 20 18:29:33 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 193.0.14.129:53 L=45 S=0x00 I=8104 F=0x0000 T=63 (#57)
Oct 20 18:29:37 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 192.5.5.241:53 L=45 S=0x00 I=8105 F=0x0000 T=63 (#57)
Oct 20 18:29:41 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 192.36.148.17:53 L=45 S=0x00 I=8106 F=0x0000 T=63 (#57)
Oct 20 18:29:45 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 198.41.0.4:53 L=45 S=0x00 I=8107 F=0x0000 T=63 (#57)
Oct 20 18:29:49 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 198.32.64.12:53 L=45 S=0x00 I=8108 F=0x0000 T=63 (#57)
Oct 20 18:29:53 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 202.12.27.33:53 L=45 S=0x00 I=8110 F=0x0000 T=63 (#57)
Oct 20 18:30:09 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 128.8.10.90:53 L=45 S=0x00 I=8111 F=0x0000 T=63 (#57)
Oct 20 18:30:17 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 192.112.36.4:53 L=45 S=0x00 I=8112 F=0x0000 T=63 (#57)
Oct 20 18:30:25 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 128.9.0.107:53 L=45 S=0x00 I=8113 F=0x0000 T=63 (#57)
Oct 20 18:30:33 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 192.203.230.10:53 L=45 S=0x00 I=8114 F=0x0000 T=63 (#57)
Oct 20 18:30:37 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 202.12.27.33:53 L=45 S=0x00 I=8115 F=0x0000 T=63 (#57)
Oct 20 18:30:41 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 128.8.10.90:53 L=45 S=0x00 I=8116 F=0x0000 T=63 (#57)
Oct 20 18:30:45 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 192.112.36.4:53 L=45 S=0x00 I=8117 F=0x0000 T=63 (#57)
Oct 20 18:30:49 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 128.9.0.107:53 L=45 S=0x00 I=8118 F=0x0000 T=63 (#57)
Oct 20 18:30:53 corona kernel: Packet log: output REJECT eth1 PROTO=17
111.222.333.444:61000 128.63.2.53:53 L=45 S=0x00 I=8119 F=0x0000 T=63 (#57)

One more question: if I have to live with traffic on a high port, can I 
expect that it will always be port 61000?  

Help!  Thank you.

***** Steve Snyder *****