icmp problem

Tom Nichols tomn at team.citx.net
Wed Mar 14 13:47:30 UTC 2001 

Kevin Darcy wrote:

> Hmmm... I don't think that will make a difference. I don't believe named uses the
> services database to determine what port to listen on by default. If it did, then
> I'd say that those ICMP packets were probably "port unreachable"s. But since named
> is probably listening to port 53 regardless of what you do with your services
> database, there would be no "port unreachable"s, so this doesn't explain the
> ICMP packets.
>
> BTW, according to the RFC's, the recommended transport for ordinary DNS queries
> and responses is UDP. So what is it that you are trying to accomplish, that would
> be worth violating the RFC recommendation?
>
>

We turn off almost all UDP services to prevent our systems from responding to UDP
floods. Works great.



> - Kevin
>
> Tom Nichols wrote:
>
> > FWIW, we comment out the named UDP call in the services for all our DNS
> > servers...TCP only (BSDI)
> >
> > Kevin Darcy wrote:
> >
> > > I'm sure named isn't sending ICMP packets deliberately. I consider it far
> > > more likely that named's UDP packets are somehow triggering the networking
> > > code in HP-UX to generate the ICMP packets, although offhand I can't imagine
> > > how or why. Can you look at the ICMP packets to see what kind they are (echo
> > > request/reply, source quench, redirect, timestamp or whatever)? Maybe there's
> > > some configuration setting in HP-UX that would turn them off.
> > >
> > > - Kevin
> > >
> > > Hasan Övüç wrote:
> > >
> > > > Hi everyone,
> > > >
> > > >         I use bind-8.2.3 on HP-UX 11.00. Dns server is behind the firewall
> > > > and dns server drops all icmp packets for security.An interesting thing, i
> > > > see from firewall logs that dns server sends icmp packets for all queries.
> > > > Although, all queries are done successfull. This is fairly meaningless.
> > > >         A short time ago, i searched mailing list archive of bind and i
> > > > don't find sufficient answer. I request your help.
> >
> > -- Binary/unsupported file stripped by Listar --
> > -- Type: text/x-vcard
> > -- File: tomn.vcf
> > -- Desc: Card for Tom Nichols


-- Binary/unsupported file stripped by Listar --
-- Type: text/x-vcard
-- File: tomn.vcf
-- Desc: Card for Tom Nichols

More information about the bind-users mailing list