Bind on strange UDP ports?

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Jul 6 06:04:41 UTC 2000 

> 
> 
> But.. Would keep that port open perm?

	Yes.  Named is continually making queries.  It does not
	make sense to create and destroy this socket for each query.

> Is there any well to tell exactly if that is what the port is really doing?

	Yes, read the code.  BIND 8 has had query-source since day
	one.  The code rejects anything but an answers it is
	expecting.

> With the new rumors daily of bind issues, and seeing dns servers running
> 0 services except bind getting rooted, scares me to see this and not find
> any documentation on what it is.

	But the query-source has been documented from day one.
	The example named.conf even contains a commented out example
	on how to move this back to port 53.

	As for root compromises, what more can we do.  We have
	warmings on out home page (www.isc.org) about the problem.
	We have issued advisaries.  We keep warning people that
	report problems with old versions that there are problems.

	At this point in time there are no known cases of BIND
	8.2.2-P5 being compromised.  We had many false reports all
	of which have turned out not to be the case when we have
	investigated.

	As always using the chroot & chuid flags to named is
	recommend so that even if there is a compromise there is
	minimal damage done.

	Mark

> 
> On Wed, 5 Jul 2000, Cricket Liu wrote:
> 
> > 
> > > Ok I've never really noticed this behavior before.. But I am seeing it on
> > > a few servers..
> > >
> > > Bind is binding to the ports specified in the named.conf, port 53.. UDP
> > > and TCP.
> > >
> > > It is also binding on a high port.. like 4431 UDP. Then if you ndc reload
> > > it steps up one port to 4432.. Sometimes it skips a few.. Up to like
> > > 4437.. then another ndc reload it ups to 4438. And so on. Well this cause
> s
> > > a problem.. It binds to EVER interface, even if you have the named.conf
> > > telling it to only bind on one interface.
> > >
> > > What is this UDP port.. How do you get rid of it.. and why is it
> > > there.. and not in any documentation? (Or is it?)
> > 
> > It's probably the query port.  BIND 8 name servers send queries
> > from a high-numbered port.  They bind() to it at startup and, I guess,
> > after reloads.
> > 
> > cricket
> > 
> > 
> > 
> 
> 
> 
> Erik Parker
> eparker at mindsec.com
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list