what is named daemon listening for ports other than 53, 953

Chris Buxton cbuxton at menandmice.com
Sun Oct 5 15:57:13 UTC 2008 

On Oct 5, 2008, at 5:35 AM, Alan Zoysa wrote:
> On Sun, Oct 5, 2008 at 7:44 PM, Barry Margolin <barmar at alum.mit.edu>  
> wrote:
>> In article <gc8mme$doe$1 at sf1.isc.org>,
>> "Alan Zoysa" <alanzoysa at gmail.com> wrote:
>>
>>> BIND950P2:~# netstat -lnp|grep named
>>> tcp        0      0 127.0.0.1:953           0.0.0.0:*
>>> LISTEN      21423/named
>>> tcp6       0      0 ::1:53                  :::*
>>> LISTEN      21423/named
>>> tcp6       0      0 ::1:953                 :::*
>>> LISTEN      21423/named
>>> udp        0      0 0.0.0.0:56789           0.0.0.0:*
>>>         21423/named
>>> udp6       0      0 :::36645                :::*
>>>         21423/named
>>> udp6       0      0 ::1:53                  :::*
>>>         21423/named
>>>
>>> BIND950P2:~# /etc/init.d/bind9 restart
>>> Stopping domain name service...: bind9.
>>> Starting domain name service...: bind9.
>>> BIND950P2:~# netstat -lnp|grep named
>>> tcp        0      0 127.0.0.1:953           0.0.0.0:*
>>> LISTEN      21574/named
>>> tcp6       0      0 ::1:53                  :::*
>>> LISTEN      21574/named
>>> tcp6       0      0 ::1:953                 :::*
>>> LISTEN      21574/named
>>> udp        0      0 0.0.0.0:36327           0.0.0.0:*
>>>         21574/named
>>> udp6       0      0 ::1:53                  :::*
>>>         21574/named
>>> udp6       0      0 :::51161                :::*
>>>         21574/named
>>
>> The high ports are used for sending recursive queries and receiving  
>> the
>> replies.
>>
>
> I see! Thank you Barry.
>
> To verify if it is indeed true, I did the following:
> involves 2 machines.
> A.B.C.D   my recursive DNS server
> A.B.C.E   client to my DNS server.
>
> I ran following commands.
> [A.B.C.D.] # netstat -lnp|grep named
> ---- gives me the high port numbers used presently.
>
> [A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53
> ---- gives me all the DNS packets on my named interface.
>
> [A.B.C.E] # dig @A.B.C.D www.yahoo.com
> ---- fires a recursive query
>
> Below is the detailed output:
> #############  start of output  ##############
> [A.B.C.E] # dig @A.B.C.D www.yahoo.com
>
> ; <<>> DiG 9.5.0-P2 <<>> @A.B.C.D www.yahoo.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38680
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.yahoo.com.                 IN      A
>
> ;; ANSWER SECTION:
> www.yahoo.com.          21600   IN      CNAME   www.yahoo-ht3.akadns.net 
> .
> www.yahoo-ht3.akadns.net. 60    IN      A       87.248.113.14
>
> ;; AUTHORITY SECTION:
> akadns.net.             172734  IN      NS      use4.akadns.net.
> akadns.net.             172734  IN      NS      use3.akadns.net.
> akadns.net.             172734  IN      NS      za.akadns.org.
> akadns.net.             172734  IN      NS      eur1.akadns.net.
> akadns.net.             172734  IN      NS      zc.akadns.org.
> akadns.net.             172734  IN      NS      zb.akadns.org.
> akadns.net.             172734  IN      NS      zd.akadns.org.
> akadns.net.             172734  IN      NS      asia9.akadns.net.
> akadns.net.             172734  IN      NS      usw2.akadns.net.
>
> ;; Query time: 1141 msec
> ;; SERVER: A.B.C.D#53(A.B.C.D)
> ;; WHEN: Sun Oct  5 20:15:33 2008
> ;; MSG SIZE  rcvd: 259
>
> [A.B.C.E] #
>
> [A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol  
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 00:00:51.767597 IP A.B.C.E.35211 > A.B.C.D.53: 38680+ A?  
> www.yahoo.com. (31)
> 00:00:51.769695 IP A.B.C.D.5506 > 192.42.93.30.53: 37176 [1au] A?
> www.yahoo.com. (42)
> 00:00:51.994330 IP 192.42.93.30.53 > A.B.C.D.5506: 37176- 0/5/6 (212)
> 00:00:51.997030 IP A.B.C.D.29536 > 68.142.255.16.53: 44329 [1au] A?
> www.yahoo.com. (42)
> 00:00:52.254096 IP 68.142.255.16.53 > A.B.C.D.29536: 44329*- 1/13/1
> CNAME[|domain]
> 00:00:52.257027 IP A.B.C.D.32120 > 195.219.3.169.53: 25787 [1au] A?
> www.yahoo-ht3.akadns.net. (53)
> 00:00:52.589003 IP 195.219.3.169.53 > A.B.C.D.32120: 25787 FormErr-
> [0q] 0/0/0 (12)
> 00:00:52.590344 IP A.B.C.D.62016 > 195.219.3.169.53: 1258 A?
> www.yahoo-ht3.akadns.net. (42)
> 00:00:52.921247 IP 195.219.3.169.53 > A.B.C.D.62016: 1258*- 1/0/0 A[| 
> domain]
> 00:00:52.922853 IP A.B.C.D.53 > A.B.C.E.35211: 38680 2/9/0 CNAME[| 
> domain]
> ^C
> 10 packets captured
> 10 packets received by filter
> 0 packets dropped by kernel
> [A.B.C.D] #
>
>
>
> [A.B.C.D] # netstat -lnp|grep named
> tcp        0      0 A.B.C.D:53              0.0.0.0:*
> LISTEN      3709/named
> tcp        0      0 127.0.0.1:53            0.0.0.0:*
> LISTEN      3709/named
> tcp        0      0 127.0.0.1:953           0.0.0.0:*
> LISTEN      3709/named
> tcp6       0      0 :::53                   :::*
> LISTEN      3709/named
> tcp6       0      0 ::1:953                 :::*
> LISTEN      3709/named
> udp        0      0 0.0.0.0:42663           0.0.0.0:*
>         3709/named
> udp        0      0 A.B.C.D:53              0.0.0.0:*
>         3709/named
> udp        0      0 127.0.0.1:53            0.0.0.0:*
>         3709/named
> udp6       0      0 :::53                   :::*
>         3709/named
> udp6       0      0 :::35254                :::*
>         3709/named
> [A.B.C.D] #
>
> #############  end of output  ##############
>
> The high port 42663 is not used for recursive query.

If I'm not mistaken, named gets a new source port ready for the next  
outgoing query. If you had run the netstat command prior to sending  
the query, I believe you would have seen port 5506 held open.

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list