what is named daemon listening for ports other than 53, 953

Alan Zoysa alanzoysa at gmail.com
Sun Oct 5 12:35:26 UTC 2008 

On Sun, Oct 5, 2008 at 7:44 PM, Barry Margolin <barmar at alum.mit.edu> wrote:
> In article <gc8mme$doe$1 at sf1.isc.org>,
>  "Alan Zoysa" <alanzoysa at gmail.com> wrote:
>
>> BIND950P2:~# netstat -lnp|grep named
>> tcp        0      0 127.0.0.1:953           0.0.0.0:*
>> LISTEN      21423/named
>> tcp6       0      0 ::1:53                  :::*
>> LISTEN      21423/named
>> tcp6       0      0 ::1:953                 :::*
>> LISTEN      21423/named
>> udp        0      0 0.0.0.0:56789           0.0.0.0:*
>>          21423/named
>> udp6       0      0 :::36645                :::*
>>          21423/named
>> udp6       0      0 ::1:53                  :::*
>>          21423/named
>>
>> BIND950P2:~# /etc/init.d/bind9 restart
>> Stopping domain name service...: bind9.
>> Starting domain name service...: bind9.
>> BIND950P2:~# netstat -lnp|grep named
>> tcp        0      0 127.0.0.1:953           0.0.0.0:*
>> LISTEN      21574/named
>> tcp6       0      0 ::1:53                  :::*
>> LISTEN      21574/named
>> tcp6       0      0 ::1:953                 :::*
>> LISTEN      21574/named
>> udp        0      0 0.0.0.0:36327           0.0.0.0:*
>>          21574/named
>> udp6       0      0 ::1:53                  :::*
>>          21574/named
>> udp6       0      0 :::51161                :::*
>>          21574/named
>
> The high ports are used for sending recursive queries and receiving the
> replies.
>

I see! Thank you Barry.

To verify if it is indeed true, I did the following:
involves 2 machines.
A.B.C.D   my recursive DNS server
A.B.C.E   client to my DNS server.

I ran following commands.
[A.B.C.D.] # netstat -lnp|grep named
---- gives me the high port numbers used presently.

[A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53
---- gives me all the DNS packets on my named interface.

[A.B.C.E] # dig @A.B.C.D www.yahoo.com
---- fires a recursive query

Below is the detailed output:
#############  start of output  ##############
[A.B.C.E] # dig @A.B.C.D www.yahoo.com

; <<>> DiG 9.5.0-P2 <<>> @A.B.C.D www.yahoo.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38680
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com.                 IN      A

;; ANSWER SECTION:
www.yahoo.com.          21600   IN      CNAME   www.yahoo-ht3.akadns.net.
www.yahoo-ht3.akadns.net. 60    IN      A       87.248.113.14

;; AUTHORITY SECTION:
akadns.net.             172734  IN      NS      use4.akadns.net.
akadns.net.             172734  IN      NS      use3.akadns.net.
akadns.net.             172734  IN      NS      za.akadns.org.
akadns.net.             172734  IN      NS      eur1.akadns.net.
akadns.net.             172734  IN      NS      zc.akadns.org.
akadns.net.             172734  IN      NS      zb.akadns.org.
akadns.net.             172734  IN      NS      zd.akadns.org.
akadns.net.             172734  IN      NS      asia9.akadns.net.
akadns.net.             172734  IN      NS      usw2.akadns.net.

;; Query time: 1141 msec
;; SERVER: A.B.C.D#53(A.B.C.D)
;; WHEN: Sun Oct  5 20:15:33 2008
;; MSG SIZE  rcvd: 259

[A.B.C.E] #

[A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
00:00:51.767597 IP A.B.C.E.35211 > A.B.C.D.53: 38680+ A? www.yahoo.com. (31)
00:00:51.769695 IP A.B.C.D.5506 > 192.42.93.30.53: 37176 [1au] A?
www.yahoo.com. (42)
00:00:51.994330 IP 192.42.93.30.53 > A.B.C.D.5506: 37176- 0/5/6 (212)
00:00:51.997030 IP A.B.C.D.29536 > 68.142.255.16.53: 44329 [1au] A?
www.yahoo.com. (42)
00:00:52.254096 IP 68.142.255.16.53 > A.B.C.D.29536: 44329*- 1/13/1
CNAME[|domain]
00:00:52.257027 IP A.B.C.D.32120 > 195.219.3.169.53: 25787 [1au] A?
www.yahoo-ht3.akadns.net. (53)
00:00:52.589003 IP 195.219.3.169.53 > A.B.C.D.32120: 25787 FormErr-
[0q] 0/0/0 (12)
00:00:52.590344 IP A.B.C.D.62016 > 195.219.3.169.53: 1258 A?
www.yahoo-ht3.akadns.net. (42)
00:00:52.921247 IP 195.219.3.169.53 > A.B.C.D.62016: 1258*- 1/0/0 A[|domain]
00:00:52.922853 IP A.B.C.D.53 > A.B.C.E.35211: 38680 2/9/0 CNAME[|domain]
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[A.B.C.D] #



[A.B.C.D] # netstat -lnp|grep named
tcp        0      0 A.B.C.D:53              0.0.0.0:*
LISTEN      3709/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*
LISTEN      3709/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*
LISTEN      3709/named
tcp6       0      0 :::53                   :::*
LISTEN      3709/named
tcp6       0      0 ::1:953                 :::*
LISTEN      3709/named
udp        0      0 0.0.0.0:42663           0.0.0.0:*
         3709/named
udp        0      0 A.B.C.D:53              0.0.0.0:*
         3709/named
udp        0      0 127.0.0.1:53            0.0.0.0:*
         3709/named
udp6       0      0 :::53                   :::*
         3709/named
udp6       0      0 :::35254                :::*
         3709/named
[A.B.C.D] #

#############  end of output  ##############

The high port 42663 is not used for recursive query.

Please correct me if am wrong in understading your response.

Thank you.

-- 

best regards,
Alan.

More information about the bind-users mailing list