Problem with query-source
Neil Gunton
neil at nilspace.com
Wed Jan 3 17:53:35 UTC 2001
I am using RedHat Linux 7.0, bind 8.2.2 P7. My main (external) DNS is on
my firewall.
I have the following in my /etc/named.conf:
options {
directory "/var/named";
pid-file "/var/named/named.pid";
allow-query { 10.0.0.0/8 };
allow-transfer { 10.0.0.0/8 };
allow-recursion { 10.0.0.0/8 };
query-source address 216.220.99.3 port 53;
};
As far as I can tell, this should result in my DNS server ONLY sending
requests from port 53. However I keep getting entries in my firewall
(ipchains) log similar to the following:
Jan 3 12:32:55 firewall kernel: Packet log: output ACCEPT eth0 PROTO=17
216.220.99.3:61000 198.41.0.10:53 L=71 S=0x00 I=27968 F=0x0000 T=63 (#1)
Jan 3 12:32:55 firewall kernel: Packet log: input DENY eth0 PROTO=17
198.41.0.10:53 216.220.99.3:61000 L=379 S=0x00 I=34 F=0x4000 T=246 (#13)
What this basically says is that my DNS server is sending from a high
port, in this case 61000, through udp. These high ports vary, they are
rarely the same. I have also noticed that this seems to happen mostly
with root servers.
I have also tried using "query-source address * port 53;". No
difference.
Am I misunderstanding the intended use of query-source, or is there
something else I need to be doing here? It is not easy for me to allow
random high ports and still keep good security.
Any clues appreciated, and if more information is needed then I can
supply it. BTW, I also have an internal DNS server inside the firewall,
which uses the firewall as a forwarder. I don't think that should matter
here though, since the packets in question are coming from the firewall
itself.
TIA,
-Neil Gunton
NilSpace Inc
New York
More information about the bind-users
mailing list