[RESOLVED] Re: No response from localhost with "allow-query { any; };"

Fri Sep 4 22:51:04 UTC 2020

>From release notes:

Notes for BIND 9.16.1

Known Issues
UDP network ports used for listening can no longer simultaneously be used
for sending traffic. An example configuration which triggers this issue
would be one which uses the same address:port pair for listen-on(-v6)
statements as for notify-source(-v6) or transfer-source(-v6). While this
issue affects all operating systems, it only triggers log messages (e.g.
“unable to create dispatch for reserved port”) on some of them. There are
currently no plans to make such a combination of settings work again.

Also, using fixed sourt ports is at worst considered harmful, at best
considered a quaint reminder of the ol' days of stateless firewalls.
Generally, if you need to do that, you are doing something wrong.

On Fri, Sep 4, 2020 at 2:25 AM Axel Rau <Axel.Rau at chaos1.de> wrote:

>
>
> Am 01.09.2020 um 22:28 schrieb Axel Rau <Axel.Rau at chaos1.de>:
>
> tcp queries are being answered, but udp queries receive no response.
> This is independent of client location (local, remote).
>
> A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
> The next read gets an errno 35 (see below).
>
>
> Commenting these out, seems to resolve the issue:
>
> query-source address  91.216.35.21;
> notify-source   91.216.35.21 port 53;
> transfer-source   91.216.35.21 port 53;
>
> query-source-v6 address    2a05:bec0:26:5::71;
> notify-source-v6 2a05:bec0:26:5::71 port 53;
> transfer-source-v6 2a05:bec0:26:5::71 port 53;
>
> Queries to localhost shows that the response does not come from localhost:
>
> root at ns5:/var/log # dig localhost @localhost
> ;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53
>
> ;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53
>
> ;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53
>
>
> ; <<>> DiG 9.16.6 <<>> localhost @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> No issue with remote queries.
>
> Questions:
>
> What has query-source address to do with a query response?
> Why does the issue not happen on another server (same config, same OS&bind
> version) ?
>
> Axel
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200904/ae1cc168/attachment.htm>