Problem with query-source

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Jan 4 01:03:25 UTC 2001 

> Hi Mark, thanks for your reply. I checked the message log and actually
> it was complaining about syntax errors on the allow-query lines, but it
> turned out to just be missing semi-colons before the }. So I tried the
> setup again and I am still getting the same behavior. I guess I hadn't
> checked that before because by and large my setup has been working ok. I
> suppose the syntax errors were not showstoppers as far as bind was
> concerned. Anyway, all fixed now.

	It's blocking remote queries now:-)

> 
> As for your second point, this is harder to address - or rather, is the
> whole point of my question. I have obviously configured my firewall to
> try and catch this traffic and log it, in order to demonstrate this
> particular "bug". Usually I just let all outgoing traffic pass, since I
> am the only user on my machines, and I have other security measures in
> place which would alert me if anyone broke the outer defences and
> planted a trojan. So it's generally easier to just let all outgoing
> traffic pass.
> 
> At any rate, the point is that there should never even be any packets
> which are leaving via udp from the DNS server, with a source port other
> than 53. That's the whole idea behind the query-source line, as far as I
> understand it. So my question stands: Have I misunderstood the
> intent/usage of this command? Why is my server still sending out
> requests (occasionally) on high ports when I have explicitly told it not
> to?

	Are you sure it is the nameserver and not some other application
	running on the box.  If you run lsof on named you will see that
	it is only listening on port 53.  If you don't have query-source
	set it will be listening on some other port in addition to port
	53.

> 
> Your point about not allowing out packets which I don't intend to allow
> answers to is well taken, but that's kind of like telling someone who's
> just been run over that they shouldn't be lying in the middle of the
> road - it's kinda dangerous...

	No. It's being a good netizen. Servers end up being pounded apon
	because people have firewalls that allow packets out that they
	don't allow answers back for, this includes ICMP responses.
> 
> :)
> 
> Thanks again, and any further clues most welcome...
> 
> -Neil
> 
> Mark.Andrews at nominum.com wrote:
> > 
> >         I would suggest looking at the logs on this machine and verifying
> >         that named loaded cleanly without reporting any errors.
> > 
> >         I would also be looking at the firewall configuration as it is
> >         dumb to allow out a packet that you don't allow the answer to
> >         back in.
> > 
> >         Mark
> > 
> > >
> > > I am using RedHat Linux 7.0, bind 8.2.2 P7. My main (external) DNS is on
> > > my firewall.
> > >
> > > I have the following in my /etc/named.conf:
> > >
> > > options {
> > >       directory "/var/named";
> > >       pid-file "/var/named/named.pid";
> > >       allow-query { 10.0.0.0/8 };
> > >       allow-transfer { 10.0.0.0/8 };
> > >       allow-recursion { 10.0.0.0/8 };
> > >       query-source address 216.220.99.3 port 53;
> > > };
> > >
> > > As far as I can tell, this should result in my DNS server ONLY sending
> > > requests from port 53. However I keep getting entries in my firewall
> > > (ipchains) log similar to the following:
> > >
> > > Jan  3 12:32:55 firewall kernel: Packet log: output ACCEPT eth0 PROTO=17
> > > 216.220.99.3:61000 198.41.0.10:53 L=71 S=0x00 I=27968 F=0x0000 T=63 (#1)
> > > Jan  3 12:32:55 firewall kernel: Packet log: input DENY eth0 PROTO=17
> > > 198.41.0.10:53 216.220.99.3:61000 L=379 S=0x00 I=34 F=0x4000 T=246 (#13)
> > >
> > > What this basically says is that my DNS server is sending from a high
> > > port, in this case 61000, through udp. These high ports vary, they are
> > > rarely the same. I have also noticed that this seems to happen mostly
> > > with root servers.
> > >
> > > I have also tried using "query-source address * port 53;". No
> > > difference.
> > >
> > > Am I misunderstanding the intended use of query-source, or is there
> > > something else I need to be doing here? It is not easy for me to allow
> > > random high ports and still keep good security.
> > >
> > > Any clues appreciated, and if more information is needed then I can
> > > supply it. BTW, I also have an internal DNS server inside the firewall,
> > > which uses the firewall as a forwarder. I don't think that should matter
> > > here though, since the packets in question are coming from the firewall
> > > itself.
> > >
> > > TIA,
> > >
> > > -Neil Gunton
> > > NilSpace Inc
> > > New York
> > >
> > >
> > --
> > Mark Andrews, Nominum Inc.
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list