Behavior of port tag in options clause is ambiguous

Vikas Sharma er.sharmavikas at gmail.com
Fri Dec 16 09:06:43 UTC 2022 

Thanks Ondrej and Clark for quick reply,
i have gone through the documentation and really its very well written,

bind version used : 9.18.3
notification message = Zone Change Notification

referring to part of the option clause from the original mail .

         port 15010;
         listen-on port 15010 { 127.0.0.1; };
         also-notify {
                 10.1.2.4 port 53;
                 10.1.2.5 port 53;
         };

here i have  listen-on port 15010 { 127.0.0.1; }  this means primary DNS is
listening on port 15010,
in also notify section i have secondary DNS server IP and port 53
also-notify {

                 10.1.2.4 port 53;                       #=> notify should
go on port 53 to secondary DNS
                 10.1.2.5 port 53;
         };

so based on also-notify configuration primary DNS should send all
notifications to Secondary DNS on dest port 53.

now after adding port 15010; notifications are now going to secondary DNS
on port 15010 also whereas notification on port 53 are also taking place.
so this behaviour is expected?
Port 15010 is neither completely overriding port 53 in also-notify nor port
15010 is ignored while sending notification to secondary DNS.

and if all notification messages to dest port 15010 are dropped on
secondary DNS, is there any impact?

as per Clark's explanation "port number the server uses to receive and
*send* DNS protocol traffic".
then bind should use dest port 15010 for all notification to secondary DNS
but notification is going to port 53 as well.

So when port 15010 will be used and when port 53 will be used while sending
notification to secondary DNS?


*BR,*

*Vikas Sharma*


On Fri, Dec 16, 2022 at 12:11 PM Ondřej Surý <ondrej at isc.org> wrote:

> Hi,
>
> there’s really nice documentation for BIND 9, and it’s even online and
> have a section on the “port”:
> https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-port
>
> Also don’t limit the outgoing ports to a single number - that’s a bad
> security practice, you should be using the full range if possible.
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> On 16. 12. 2022, at 7:26, Vikas Sharma <er.sharmavikas at gmail.com> wrote:
>
> 
> Hi Team,
>
> we have following configuration in my named.conf
> where i named process on primary DNS is listening on port 15010.
> whereas secondary DNS is running on port 53.
> All Notification to secondary DNS is forwarded on destination port 53 from
> primary DNS.
>
> Now when i add tag port 15010 in options clause on primary DNS, then i see
> some notification message being forwarded to secondary DNS to dest port
> 15010. these messages are in addition to notification to secondary DNS with
> dest port 53.
> changing port value form 15010 to 20598 sends notification to secondary
> DSN on dest port 20598 in addition to notification to secondary on port 53.
>
> i have a firewall on secondary DNS which is rejecting all packets on port
> 15010/20598.
> i see that all my data is populated on secondary DNS without any problem
> due to notifications to secondary DNS on port 53.
>
> query is why named is sending notification to secondary DNS on port
> 15010/20598 when regular notification is also going to secondary DNS on
> port 53.
>
>
> acl theAllServers {
>          thePrimary;
>          theSecondary;
>          localhost;
> };
>
> options {
>          directory "/var/opt/named";
>          pid-file "/var/opt/run/named.pid";
>          allow-transfer { theAllServers; };
>          allow-query { any; };
>          zone-statistics no;
>          notify yes;
>          max-cache-size 14297m;
>          max-journal-size 1048576;
>          port 15010;                                       #=> used 20598
> as well instead of 15010;
>          listen-on port 15010 { 127.0.0.1; };
>          also-notify {
>                  10.1.2.4 port 53;
>                  10.1.2.5 port 53;
>          };
> };
>
> Best Regards,
> Vikas Sharma
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221216/c820ea31/attachment-0001.htm>

More information about the bind-users mailing list