Behavior of port tag in options clause is ambiguous

Fri Dec 16 06:41:34 UTC 2022

Hi,

there’s really nice documentation for BIND 9, and it’s even online and have a section on the “port”: https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-port

Also don’t limit the outgoing ports to a single number - that’s a bad security practice, you should be using the full range if possible.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 16. 12. 2022, at 7:26, Vikas Sharma <er.sharmavikas at gmail.com> wrote:
> 
> 
> Hi Team,
>  
> we have following configuration in my named.conf
> where i named process on primary DNS is listening on port 15010.
> whereas secondary DNS is running on port 53.
> All Notification to secondary DNS is forwarded on destination port 53 from primary DNS. 
>  
> Now when i add tag port 15010 in options clause on primary DNS, then i see some notification message being forwarded to secondary DNS to dest port 15010. these messages are in addition to notification to secondary DNS with dest port 53.
> changing port value form 15010 to 20598 sends notification to secondary DSN on dest port 20598 in addition to notification to secondary on port 53.
>  
> i have a firewall on secondary DNS which is rejecting all packets on port 15010/20598.
> i see that all my data is populated on secondary DNS without any problem due to notifications to secondary DNS on port 53.
>  
> query is why named is sending notification to secondary DNS on port 15010/20598 when regular notification is also going to secondary DNS on port 53.
>  
>  
> acl theAllServers {
>          thePrimary;
>          theSecondary;
>          localhost;
> };
>  
> options {
>          directory "/var/opt/named";
>          pid-file "/var/opt/run/named.pid";
>          allow-transfer { theAllServers; };
>          allow-query { any; };
>          zone-statistics no;
>          notify yes;
>          max-cache-size 14297m;
>          max-journal-size 1048576;
>          port 15010;                                       #=> used 20598 as well instead of 15010;
>          listen-on port 15010 { 127.0.0.1; };
>          also-notify {
>                  10.1.2.4 port 53;
>                  10.1.2.5 port 53;
>          };
> };
> 
> Best Regards,
> Vikas Sharma
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221216/598f021f/attachment.htm>