odd behaviour: BIND 9.3.3rc2

Mark Andrews Mark_Andrews at isc.org
Mon Nov 26 22:36:32 UTC 2007 

> Not sure if this one was ever resolved, but I'm seeing similar problems with
> Bind 9.4.1p.  From limited testing it appears the problem is related to the
> query-source port option.  Sometimes hosts will be configured to filter
> packets that have a source port below 1024, it appears in this case the
> query is never making it up to the nameserver when the query-source port is
> 53, therefore no response.  When I comment out the query-source port option,
> it works fine.
> Unfortunately the query-source port option is necessary to get through the
> firewall.  Am I understanding this correctly ?  - assuming the only way
> around it is to configure another nameserver without this query-source port
> option ?

	The port value is for stateless firewalls and it can be any
	port, it just has to be what is configured into the local
	firewall.  53 is the recommended value because if you are
	running a authoritative nameserver you have to open up port
	53 to allow the queries in so by setting query soure to 53
	you allow the replies is via the same hole in the firewall.

	Any firewall that looks at the source port is misconfigured.

	Mark
	
> On Aug 29, 2007 9:20 AM, Felipe Ceglia - PY1NB <felipe-listas at terenet.com.br>
> wrote:
> 
> > Hello again, bind gurus,
> >
> > I am running BIND 9.3.3rc2 on a centos box.
> >
> > It happens that I cant resolve some hosts, like:
> >
> > dig redelagos.com.br
> > dig teresopolis.unimed.com.br
> >
> > And I can resolve it from other dns servers.
> >
> > Surely there is something wrong, but I cant figure what.
> >
> > Any ideas?
> >
> >
> > My /etc/named.conf looks like:
> >
> > options
> > {
> >        query-source    port 53;
> >        query-source-v6 port 53;
> >        directory "/var/named"; // the default
> >        dump-file               "data/cache_dump.db";
> >        statistics-file         "data/named_stats.txt";
> >        memstatistics-file      "data/named_mem_stats.txt";
> >
> > };
> > logging
> > {
> >        channel default_debug {
> >                file "data/named.run";
> >                severity dynamic;
> >        };
> > };
> > view "internal"
> > {
> >        include "/etc/named.root.hints";
> > };
> > //
> > view    "external"
> > {
> > recursion yes;
> > zone "." IN {
> >        type hint;
> >        file "named.root";
> > };
> > zone "domain.com" {
> >        type master;
> >        file "named.domain.com";
> > };
> >
> > };
> >
> >
> >
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list