odd behaviour: BIND 9.3.3rc2
Ralph Young
ralph at f7.net
Tue Nov 27 19:38:37 UTC 2007
Ok, I see now... in this case the remote nameserver is misconfigured - it's
dropping any packet with a source port less than 1024... it should make an
exception for port 53.
Thanks
On Nov 26, 2007 5:36 PM, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
> > Not sure if this one was ever resolved, but I'm seeing similar problems
> with
> > Bind 9.4.1p. From limited testing it appears the problem is related to
> the
> > query-source port option. Sometimes hosts will be configured to filter
> > packets that have a source port below 1024, it appears in this case the
> > query is never making it up to the nameserver when the query-source port
> is
> > 53, therefore no response. When I comment out the query-source port
> option,
> > it works fine.
> > Unfortunately the query-source port option is necessary to get through
> the
> > firewall. Am I understanding this correctly ? - assuming the only way
> > around it is to configure another nameserver without this query-source
> port
> > option ?
>
> The port value is for stateless firewalls and it can be any
> port, it just has to be what is configured into the local
> firewall. 53 is the recommended value because if you are
> running a authoritative nameserver you have to open up port
> 53 to allow the queries in so by setting query soure to 53
> you allow the replies is via the same hole in the firewall.
>
> Any firewall that looks at the source port is misconfigured.
>
> Mark
>
> > On Aug 29, 2007 9:20 AM, Felipe Ceglia - PY1NB <
> felipe-listas at terenet.com.br>
> > wrote:
> >
> > > Hello again, bind gurus,
> > >
> > > I am running BIND 9.3.3rc2 on a centos box.
> > >
> > > It happens that I cant resolve some hosts, like:
> > >
> > > dig redelagos.com.br
> > > dig teresopolis.unimed.com.br
> > >
> > > And I can resolve it from other dns servers.
> > >
> > > Surely there is something wrong, but I cant figure what.
> > >
> > > Any ideas?
> > >
> > >
> > > My /etc/named.conf looks like:
> > >
> > > options
> > > {
> > > query-source port 53;
> > > query-source-v6 port 53;
> > > directory "/var/named"; // the default
> > > dump-file "data/cache_dump.db";
> > > statistics-file "data/named_stats.txt";
> > > memstatistics-file "data/named_mem_stats.txt";
> > >
> > > };
> > > logging
> > > {
> > > channel default_debug {
> > > file "data/named.run";
> > > severity dynamic;
> > > };
> > > };
> > > view "internal"
> > > {
> > > include "/etc/named.root.hints";
> > > };
> > > //
> > > view "external"
> > > {
> > > recursion yes;
> > > zone "." IN {
> > > type hint;
> > > file "named.root";
> > > };
> > > zone "domain.com" {
> > > type master;
> > > file "named.domain.com";
> > > };
> > >
> > > };
> > >
> > >
> > >
> >
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
More information about the bind-users
mailing list