BIND, Ethereal, msproxy, etc.
Ed Sawicki
ed at alcpress.com
Fri Jun 7 21:57:54 UTC 2002
Answering my own post for the benefit of others:
BIND 8.2.4 does not behave according to the documentation.
By default, with no query-source statement in the named.conf file,
it always uses the same port for queries - in my case port 1745.
If I add this statement:
query-source address * port *
to named.conf, BIND then uses ephemeral ports determined by the
system - Linux in my case. I find this more desirable than an
arbitrary fixed port.
Ed
On Fri, 2002-06-07 at 12:51, Ed Sawicki wrote:
> I just installed the latest version of Ethereal and immediately noticed
> that some packets on my network were being decoded as "msproxy". I
> quickly realized that these were DNS queries sent by my DNS server
> (BIND 8.2.4 on Linux) to remote DNS servers - seemingly plain old DNS
> queries.
>
> Ethereal decodes them as the msproxy protocol because my DNS
> server was using a source port of 1745, which Ethereal thinks is
> the msproxy protocol even though IANA's port list refers to this as
> remote-winsock. Ethereal's hex-ascii display made it clear that
> these were DNS queries. I assume that Ethereal is messed up. For
> packets with a source port of 1745 and destination port of 53, it
> favors the registered port 1745 over the well-known port 53.
>
> I thought that BIND just happened to use 1745 as its ephemeral port
> for the packet exchange I just happened to capture. However, I
> captured several hundred more packets and BIND seems to be using
> port 1745 for all it's queries. I checked
> /proc/sys/net/ipv4/ip_local_port_range and it reports 49000 60000.
>
> It seems that BIND 8.2.4 is not using ephemeral ports but rather uses
> 1745. I did not configure this in named.conf. Is this normal
> operation?
>
> Ed
>
>
>
> -- Attached file included as plaintext by Ecartis --
> -- File: signature.asc
> -- Desc: This is a digitally signed message part
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQA9AQ6loTYTZDP9T2ERAnRvAKCZHVww0ySmOGpbhP/lxseuXNXZegCgo35n
> UPYMa065d5djgSzcNVuRsvw=
> =xauv
> -----END PGP SIGNATURE-----
>
>
>
>
-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9ASxhoTYTZDP9T2ERAkGjAJ9+XBKy/4ep20uhHiIxueFt1H6QGACg2aMH
exklcoEqTfN/YaC/kR7S8XQ=
=wudH
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list