query-source port <1024 and !53
Mathias Körber
mathias at koerber.org
Fri Nov 10 01:35:24 UTC 2000
I found the below in my firewall's log, and wonder why any nameserver
would send consecutive DNS queries (17=UDP) from 2 different ports,
which both are neither 53, nor unprivileged (above 1023):
(note: IP source address replaced with 1.2.3.4 to protect the ...)
Nov 8 21:09:29 ns1 kernel: Packet log: REJ_I - ppp0 PROTO=17
1.2.3.4:876 ns1:53 L=62 S=0x00 I=60959 F=0x0000 T=114 (#1)
Nov 8 21:09:30 ns1 kernel: Packet log: REJ_I - ppp0 PROTO=17
1.2.3.4:880 ns1:53 L=62 S=0x00 I=46183 F=0x0000 T=113 (#1)
Nov 8 21:09:33 ns1 kernel: Packet log: REJ_I - ppp0 PROTO=17
1.2.3.4:876 ns1:53 L=62 S=0x00 I=64031 F=0x0000 T=114 (#1)
Nov 8 21:09:34 ns1 kernel: Packet log: REJ_I - ppp0 PROTO=17
1.2.3.4:880 ns1:53 L=62 S=0x00 I=46951 F=0x0000 T=113 (#1)
Nov 8 21:09:41 ns1 kernel: Packet log: REJ_I - ppp0 PROTO=17
1.2.3.4:876 ns1:53 L=62 S=0x00 I=16928 F=0x0000 T=114 (#1)
Nov 8 21:09:42 ns1 kernel: Packet log: REJ_I - ppp0 PROTO=17
1.2.3.4:880 ns1:53 L=62 S=0x00 I=49511 F=0x0000 T=113 (#1)
My logs show numerous occurrances of this from different sources.
In almost all cases, the system in question uses two privileged
ports to send these queries. In almost all cases there are only 4 to 8
queries in quick succession, and then nomore.
Questions:
a) What version of any nameserver would use privileged ports
(<1024) but not 53 as query-source?
b) if this is not default, why would someone choose a
privileged port other than 53 as query source?
c) Why would a machine be using 2 query-source addresses
(unless it's running 2 instances of named).
d) is there any other software known that could produce this
behaviour?
Just curious
Fup: comp.protocols.tcp-ip.domains
--
Mathias Körber mathias at koerber.org
Eifersucht ist eine Leidenschaft, die mit Eifer sucht, was Leiden
schafft
More information about the bind-users
mailing list