Possible problems with bind-9.5.1
JINMEI Tatuya / 神明達哉
Jinmei_Tatuya at isc.org
Fri Feb 13 21:48:06 UTC 2009
At Fri, 13 Feb 2009 19:10:02 +0100,
"Elizabeta Zadro" <elizabeta.zadro at tel.net.ba> wrote:
> Before I had bind-9.5.0-P2 and now I upgrade to bind-9.5.1. I readed that in
> bind-9.5.1 is additional support for query port randomization
>
> including performance improvement and port range specification.
>
> But is this ok?
[snip]
> As you can see, the ports are changing, but there is always crackerjack.net
> every time on differnet ports? Can I simply put this user in IP tables?
I don't (necessarily) think so. This can happen if (names under) that
domain is popular for your clients. Unless these queries make your
server unacceptably busy or cause other troubles such as increase of
SERVFAIL results, you can just let them be asked.
You may also want to check which names (and types) under crackerjack
are being asked by rndc recursing and which clients ask them to see
whether they are just frequently asked or are a result of some
malicious attempt.
> In previously version bind-9.5.0-P2 there was not at all ESTABLISHED socket
> from foreign users.
> Otherwise, My network and configuration is the same like before upgrade.
> Only when I upgreded to bind 9.5.1., there are now many udp socket. Is this
> characteristical behaviour for bind.9.5.1?
'ESTABLISHED' is a feature of 9.5.1, which now uses connected UDP
sockets. It's not a bad thing per se; rather, it helps improve
stability and performance. Also, you should have seen 'many udp
sockets' in 9.5.0-P2, too. Using a (possibly) large number of UDP
sockets is common both in 9.5.0-P2 and 9.5.1.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list