what is named daemon listening for ports other than 53, 953
Chris Buxton
cbuxton at menandmice.com
Sun Oct 5 15:57:13 UTC 2008
On Oct 5, 2008, at 5:35 AM, Alan Zoysa wrote:
> On Sun, Oct 5, 2008 at 7:44 PM, Barry Margolin <barmar at alum.mit.edu>
> wrote:
>> In article <gc8mme$doe$1 at sf1.isc.org>,
>> "Alan Zoysa" <alanzoysa at gmail.com> wrote:
>>
>>> BIND950P2:~# netstat -lnp|grep named
>>> tcp 0 0 127.0.0.1:953 0.0.0.0:*
>>> LISTEN 21423/named
>>> tcp6 0 0 ::1:53 :::*
>>> LISTEN 21423/named
>>> tcp6 0 0 ::1:953 :::*
>>> LISTEN 21423/named
>>> udp 0 0 0.0.0.0:56789 0.0.0.0:*
>>> 21423/named
>>> udp6 0 0 :::36645 :::*
>>> 21423/named
>>> udp6 0 0 ::1:53 :::*
>>> 21423/named
>>>
>>> BIND950P2:~# /etc/init.d/bind9 restart
>>> Stopping domain name service...: bind9.
>>> Starting domain name service...: bind9.
>>> BIND950P2:~# netstat -lnp|grep named
>>> tcp 0 0 127.0.0.1:953 0.0.0.0:*
>>> LISTEN 21574/named
>>> tcp6 0 0 ::1:53 :::*
>>> LISTEN 21574/named
>>> tcp6 0 0 ::1:953 :::*
>>> LISTEN 21574/named
>>> udp 0 0 0.0.0.0:36327 0.0.0.0:*
>>> 21574/named
>>> udp6 0 0 ::1:53 :::*
>>> 21574/named
>>> udp6 0 0 :::51161 :::*
>>> 21574/named
>>
>> The high ports are used for sending recursive queries and receiving
>> the
>> replies.
>>
>
> I see! Thank you Barry.
>
> To verify if it is indeed true, I did the following:
> involves 2 machines.
> A.B.C.D my recursive DNS server
> A.B.C.E client to my DNS server.
>
> I ran following commands.
> [A.B.C.D.] # netstat -lnp|grep named
> ---- gives me the high port numbers used presently.
>
> [A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53
> ---- gives me all the DNS packets on my named interface.
>
> [A.B.C.E] # dig @A.B.C.D www.yahoo.com
> ---- fires a recursive query
>
> Below is the detailed output:
> ############# start of output ##############
> [A.B.C.E] # dig @A.B.C.D www.yahoo.com
>
> ; <<>> DiG 9.5.0-P2 <<>> @A.B.C.D www.yahoo.com
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38680
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.yahoo.com. IN A
>
> ;; ANSWER SECTION:
> www.yahoo.com. 21600 IN CNAME www.yahoo-ht3.akadns.net
> .
> www.yahoo-ht3.akadns.net. 60 IN A 87.248.113.14
>
> ;; AUTHORITY SECTION:
> akadns.net. 172734 IN NS use4.akadns.net.
> akadns.net. 172734 IN NS use3.akadns.net.
> akadns.net. 172734 IN NS za.akadns.org.
> akadns.net. 172734 IN NS eur1.akadns.net.
> akadns.net. 172734 IN NS zc.akadns.org.
> akadns.net. 172734 IN NS zb.akadns.org.
> akadns.net. 172734 IN NS zd.akadns.org.
> akadns.net. 172734 IN NS asia9.akadns.net.
> akadns.net. 172734 IN NS usw2.akadns.net.
>
> ;; Query time: 1141 msec
> ;; SERVER: A.B.C.D#53(A.B.C.D)
> ;; WHEN: Sun Oct 5 20:15:33 2008
> ;; MSG SIZE rcvd: 259
>
> [A.B.C.E] #
>
> [A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 00:00:51.767597 IP A.B.C.E.35211 > A.B.C.D.53: 38680+ A?
> www.yahoo.com. (31)
> 00:00:51.769695 IP A.B.C.D.5506 > 192.42.93.30.53: 37176 [1au] A?
> www.yahoo.com. (42)
> 00:00:51.994330 IP 192.42.93.30.53 > A.B.C.D.5506: 37176- 0/5/6 (212)
> 00:00:51.997030 IP A.B.C.D.29536 > 68.142.255.16.53: 44329 [1au] A?
> www.yahoo.com. (42)
> 00:00:52.254096 IP 68.142.255.16.53 > A.B.C.D.29536: 44329*- 1/13/1
> CNAME[|domain]
> 00:00:52.257027 IP A.B.C.D.32120 > 195.219.3.169.53: 25787 [1au] A?
> www.yahoo-ht3.akadns.net. (53)
> 00:00:52.589003 IP 195.219.3.169.53 > A.B.C.D.32120: 25787 FormErr-
> [0q] 0/0/0 (12)
> 00:00:52.590344 IP A.B.C.D.62016 > 195.219.3.169.53: 1258 A?
> www.yahoo-ht3.akadns.net. (42)
> 00:00:52.921247 IP 195.219.3.169.53 > A.B.C.D.62016: 1258*- 1/0/0 A[|
> domain]
> 00:00:52.922853 IP A.B.C.D.53 > A.B.C.E.35211: 38680 2/9/0 CNAME[|
> domain]
> ^C
> 10 packets captured
> 10 packets received by filter
> 0 packets dropped by kernel
> [A.B.C.D] #
>
>
>
> [A.B.C.D] # netstat -lnp|grep named
> tcp 0 0 A.B.C.D:53 0.0.0.0:*
> LISTEN 3709/named
> tcp 0 0 127.0.0.1:53 0.0.0.0:*
> LISTEN 3709/named
> tcp 0 0 127.0.0.1:953 0.0.0.0:*
> LISTEN 3709/named
> tcp6 0 0 :::53 :::*
> LISTEN 3709/named
> tcp6 0 0 ::1:953 :::*
> LISTEN 3709/named
> udp 0 0 0.0.0.0:42663 0.0.0.0:*
> 3709/named
> udp 0 0 A.B.C.D:53 0.0.0.0:*
> 3709/named
> udp 0 0 127.0.0.1:53 0.0.0.0:*
> 3709/named
> udp6 0 0 :::53 :::*
> 3709/named
> udp6 0 0 :::35254 :::*
> 3709/named
> [A.B.C.D] #
>
> ############# end of output ##############
>
> The high port 42663 is not used for recursive query.
If I'm not mistaken, named gets a new source port ready for the next
outgoing query. If you had run the netstat command prior to sending
the query, I believe you would have seen port 5506 held open.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list