Recursive queries fail if query source port is not fixed
Steven Stromer
filter at stevenstromer.com
Fri Aug 15 21:37:32 UTC 2008
I doubt that this is at all pertinent, but I was experiencing similar
behavior once I patched a client a few weeks ago and took them off
port 53. Recursive requests were failing three out of every four
times they were made, yet digs with trace worked. The company uses a
crappy Netgear firewall that I can't wait to trash. However, the fix
ended up coming from turning off tcp and udp flood protection on the
firewall. In this case the firewall was located between a DMZ area
and the company LAN, with the recursive nameserver located in the
DMZ, so the network was probably slightly different... However, the
symptoms sound so familiar that I thought I'd mention it. Maybe your
Cisco router is interpreting all the randomized UDP activity as a
flood. Apologies if this is off track with your issue - good luck
finding a fix!
Steven
> At Fri, 15 Aug 2008 10:27:13 +1000,
> Mark Andrews <Mark_Andrews at isc.org> wrote:
>
>>>>> fctx 0x87b7b20(images.yandex.ru/A'): query
>>>>> fctx 0x87b7b20(images.yandex.ru/A'): done
>>>>
>>>> This seems to indicate creating a query socket somehow failed. Can
>>>> you build BIND by hand to see if you can reproduce the problem with
>>>> it? Then we may add some ad-hock patch to provide more detailed
>>>> log
>>>> information.
>>>
>>> Can you run sockstat and see if there are a large number of
>>> listening UDP sockets from another process or processes that
>>> maybe named is attempting to BIND to as well (and failing) when
>>> sourcing the queries? I'm not sure how BIND determines (if it
>>> does) if a port is free before attempting to bind to it when
>>> sourcing a query. I know you can specify port ranges to not
>>> use. Maybe the issue is that the port is being used by another
>>> process and eventually after a retry or two, you source from a
>>> port that is not being consumed by another process and it works.
>>
>> The -P2's won't bind(2) to a port that is in use.
>
> And the failure of bind(2) doesn't well explain why "any" recursive
> queries failed. This could happen in theory, but since named retries
> bind(2)ing with different sockets many times before finally giving up,
> the chance of happening this for all queries should be extremely
> small in practice. There should be something unexpected behind the
> scene.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
>
More information about the bind-users
mailing list