Problem with query-source

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Wed Jan 3 23:49:34 UTC 2001 

	I would suggest looking at the logs on this machine and verifying
	that named loaded cleanly without reporting any errors.

	I would also be looking at the firewall configuration as it is
	dumb to allow out a packet that you don't allow the answer to
	back in.

	Mark

> 
> I am using RedHat Linux 7.0, bind 8.2.2 P7. My main (external) DNS is on
> my firewall.
> 
> I have the following in my /etc/named.conf:
> 
> options {
> 	directory "/var/named";
> 	pid-file "/var/named/named.pid";
> 	allow-query { 10.0.0.0/8 };
> 	allow-transfer { 10.0.0.0/8 };
> 	allow-recursion { 10.0.0.0/8 };
> 	query-source address 216.220.99.3 port 53;
> };
> 
> As far as I can tell, this should result in my DNS server ONLY sending
> requests from port 53. However I keep getting entries in my firewall
> (ipchains) log similar to the following:
> 
> Jan  3 12:32:55 firewall kernel: Packet log: output ACCEPT eth0 PROTO=17
> 216.220.99.3:61000 198.41.0.10:53 L=71 S=0x00 I=27968 F=0x0000 T=63 (#1)
> Jan  3 12:32:55 firewall kernel: Packet log: input DENY eth0 PROTO=17
> 198.41.0.10:53 216.220.99.3:61000 L=379 S=0x00 I=34 F=0x4000 T=246 (#13)
> 
> What this basically says is that my DNS server is sending from a high
> port, in this case 61000, through udp. These high ports vary, they are
> rarely the same. I have also noticed that this seems to happen mostly
> with root servers.
> 
> I have also tried using "query-source address * port 53;". No
> difference.
> 
> Am I misunderstanding the intended use of query-source, or is there
> something else I need to be doing here? It is not easy for me to allow
> random high ports and still keep good security.
> 
> Any clues appreciated, and if more information is needed then I can
> supply it. BTW, I also have an internal DNS server inside the firewall,
> which uses the firewall as a forwarder. I don't think that should matter
> here though, since the packets in question are coming from the firewall
> itself.
> 
> TIA,
> 
> -Neil Gunton
> NilSpace Inc
> New York
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list