Unexpected outgoing DNS traffic & "connection reset"

Steve Snyder swsnyder at insightbb.com
Sun Oct 30 12:23:15 UTC 2005 

I'm running BIND 9.2.1 (with security patches) on a Linux system.  My 
nameserver should only be satisfying requests from the local network, and 
caching resolutions from outside the network.  So why do I have outgoing 
TCP traffic to destination port 53?

Here's a snippet of my named.conf:

   listen-on { 127.0.0.1; 192.168.0.1; };
   allow-query { 127.0.0.1; 192.168.0/24; };
   allow-transfer { 192.168.0/24; };

On my nameserver machine interface eth0 is 192.168.0.1 on a 192.168.0/24 
network, and interface eth1 faces the internet (IP is obscured below as 
"aaa.bbb.ccc.ddd").

My understanding is that TCP is only used when transferring a zone which 
is too large to fit into a UDP packet.  Given that I am (in theory) not 
transferring zones outside my LAN, there should be no need for outgoing 
TCP traffic to port 53, right?

That's my expectation, anyway.  And that is also why my firewall rules 
logged the packets shown below.  Here we see that on 2 occasions last 
Friday there were 6 TCP packets sent from my nameserver's external 
interface to machines on the 64.202.167.0 network.

Can anyone explain to me why I should have this outgoing traffic given 
the BIND configuration shown above?

After writing all the above I looked at named.log and saw these entries:

Oct 28 11:29:30.598 dispatch: dispatch 0x40b1b540:
  shutting down due to TCP receive error: connection reset
Oct 28 11:29:30.766 dispatch: dispatch 0x40b1b540:
  shutting down due to TCP receive error: connection reset
Oct 28 15:16:57.860 dispatch: dispatch 0x40b1b540:
  shutting down due to TCP receive error: connection reset
Oct 28 15:16:58.019 dispatch: dispatch 0x40b1b540:
  shutting down due to TCP receive error: connection reset

Those times correspond to the logged packets below.  So now my question
is a more general one: what the %$^$#&! is going on here?

Thanks.

-----------------------

Oct 28 11:29:30 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.165.4 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
  SPT=60139 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 28 11:29:30 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.165.4 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=3282 DF PROTO=TCP
  SPT=60139 DPT=53 W INDOW=5840 RES=0x00 ACK URGP=0
Oct 28 11:29:30 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.165.4 LEN=107 TOS=0x10 PREC=0x00 TTL=64 ID=14 DF PROTO=TCP
  SPT=60139 DPT=53 WI NDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 28 11:29:30 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.167.50 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
  SPT=60140 DPT=53 WIN DOW=5840 RES=0x00 SYN URGP=0
Oct 28 11:29:30 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.167.50 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=3282 DF PROTO=TCP
  SPT=60140 DPT=53 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 28 11:29:30 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.167.50 LEN=107 TOS=0x10 PREC=0x00 TTL=64 ID=14 DF PROTO=TCP
  SPT=60140 DPT=53 W INDOW=5840 RES=0x00 ACK PSH URGP=0

Oct 28 15:16:57 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.167.50 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=2 DF PROTO=TCP
  SPT=60571 DPT=53 WIN DOW=5840 RES=0x00 SYN URGP=0
Oct 28 15:16:57 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.167.50 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=3282 DF PROTO=TCP
  SPT=60571 DPT=53 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 28 15:16:57 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.167.50 LEN=107 TOS=0x10 PREC=0x00 TTL=64 ID=44263 DF
  PROTO=TCP SPT=60571 DPT=5 3 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 28 15:16:57 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.165.4 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48939 DF PROTO=TCP
  SPT=60572 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 28 15:16:57 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.165.4 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=3282 DF PROTO=TCP
  SPT=60572 DPT=53 W INDOW=5840 RES=0x00 ACK URGP=0
Oct 28 15:16:57 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
  DST=64.202.165.4 LEN=107 TOS=0x10 PREC=0x00 TTL=64 ID=52572 DF PROTO=TCP
  SPT=60572 DPT=53 WINDOW=5840 RES=0x00 ACK PSH URGP=0

More information about the bind-users mailing list