BIND ignores queries from specific privileged source ports
Blake Hudson
blake at ispn.net
Fri Jun 7 21:56:43 UTC 2019
Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but
have also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated
from specific privileged source ports but not others?
Example:
[root at ns ~]# dig +short -b 127.0.0.1 @localhost google.com
172.217.6.110
[root at ns ~]# dig +short -b 127.0.0.1#10000 @localhost google.com
172.217.6.110
[root at ns ~]# dig +short -b 127.0.0.1#50 @localhost google.com
172.217.6.110
[root at ns ~]# dig +short -b 127.0.0.1#19 @localhost google.com
;; connection timed out; no servers could be reached
[root at ns ~]# dig +short -b 127.0.0.1#14 @localhost google.com
172.217.6.110
[root at ns ~]# dig +short -b 127.0.0.1#13 @localhost google.com
;; connection timed out; no servers could be reached
While it would be ideal for clients to use source port randomization and
initiate queries from random ephemeral ports, I don't control all the
clients or the NAT routers in between the client and the server. Queries
using a source port of 13 and 19 are dropped while queries from port
10000, 50, and 14 are answered. This has been confirmed via a network
capture as well. I checked the ARM, but didn't see what knob(s) I could
tweak to control this behavior. Anyone know?
Thanks,
--Blake
More information about the bind-users
mailing list