From owner-freebsd-questions Tue Jan 28 7:12:29 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1726D37B401 for ; Tue, 28 Jan 2003 07:12:27 -0800 (PST) Received: from mail4.atl.registeredsite.com (mail4.atl.registeredsite.com [64.224.219.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5C0B43E4A for ; Tue, 28 Jan 2003 07:12:20 -0800 (PST) (envelope-from admin@asarian-host.net) Received: from asarian-host.net (asarian-host.net [216.122.74.112]) by mail4.atl.registeredsite.com (8.12.2/8.12.6) with ESMTP id h0SFCEm8022563 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Tue, 28 Jan 2003 10:12:14 -0500 Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email addresses for asarians can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by asarian-host.net (8.11.6/8.11.0) id h0SFCET91750 for freebsd-questions@freebsd.org; Tue, 28 Jan 2003 16:12:14 +0100 (CET) (envelope-from admin@asarian-host.net) Posted-Date: Tue, 28 Jan 2003 16:12:14 +0100 (CET) From: Mark Message-Id: <200301281512.H0SFC1991673@asarian-host.net> Date: Tue, 28 Jan 2003 16:11:51 +0100 X-Authenticated-Sender: admin@asarian-host.net Subject: Re: How to stop BIND from using high ports? X-Trace: h60m5PeGIAZddunXuLgcAI0mqXvwIjVrLSGMd4k2R7gGZphmjOyE8a9+SyiV3aXF X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers X-Abuse-Info: Otherwise we are unable to process your complaint Organization: Asarian-host To: "Matthew Seaman" , References: <200301281029.H0SATM937146@asarian-host.net> <20030128125210.GB20406@happy-idiot-talk.infracaninophi> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Auth: Asarian-host PGP signature iQEVAwUAPjadzjFqW1BleBN9AQHVswf/cNxCvqYdZD+2/a77iLsE83Kuc3BdQ2Mz W+8J1jnuuxJgjSFA1NAWCZGKbuSVA/I8+W6E/KSz3kaG7WKSndDi+Dm3mNzc4wZq 5rzUkSobjDdPjZReaZfiFnq50dq8brL25WY1LHplZZ2mwvxWZIxFU8RadmAVzumX SipyumBKiUJ1XNES3x9Q6/4f8A7NeNlhaPP5SiV+hBpACjPucJ6ugvABP2CQEnVU ZscgzzK1mKwUBLpRlGxamlAB9TqGNwy6GNiE7TgX1Kpwnk5Q8jY8c9+BR48Ys+GE YQ0lGguA8u33O72PoodRRYwvi/yWAveGujH5KYh+bJIpxdP/MGaV7A== =Fijl Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Matthew Seaman" To: Sent: Tuesday, January 28, 2003 1:52 PM Subject: Re: How to stop BIND from using high ports? > On Tue, Jan 28, 2003 at 11:29:28AM +0100, Mark wrote: > > > I am having a bit of a problem. One might say, a serious problem. :( > > When other servers query my name servers, they send queries with a > > source port of 53; but apparently my BIND (8.3.4) is responding from > > a high port (seemingly random). And this is causing some trouble. :( > > How can I prevent that?? > > > >In my "options" section I have > > > > query-source address * port 53; Hi Matthew, Yours was a very useful reply. :) I truly appreciate your time and effort here. And your dynamic rules were equally useful. > Looks right to me. You might also want to investigate: > > transfer-source 81.2.69.218 port 53; > notify-source 81.2.69.218 port 53; > > if you have off-site secondaries. Check that the syntax is correct > for Bind8 --- I just copied that out of my Bind9 config. I don't think you can specify a port for "transfer-source" in BIND 8.x, but as I only allow XFRs from trusted parties, this should not be an issue, I think. > > But my log is filled with entries like these: > > > > Accept UDP 10.0.0.2:53 146.18.16.248:53 out via rl0 > > Accept UDP 10.0.0.2:53 15.251.160.31:32852 out via rl0 > > Accept UDP 10.0.0.2:53 15.251.160.31:32852 out via rl0 > > > > Which seems to suggest that for outgoing UDP a random high port is > > being used. :( And I do not understand why. :( > I assume that 10.0.0.2 is the IP number of your DNS machine. Yes. > Then it would appear to be doing exactly what it's been told to. All the > replies it sends have the source IP address of the machine and the > *source* port 53. You know what? You are absolutely right. :) I guess I read it wrong, in my panic (kernel is not the only one prone to panic attacks). Problem is, an ISP in Australia cannot resolve me; and, as I wrote the admin, he responded: "Our name servers are configured to send queries with a source port of 53 .. but when we do so, you respond from a high port? ... I suspect that bind is throwing away your replies because they don't match the expected response ip/port combination." I tried to resolve my domain name via their name server ("ns1.optusnet.com.au" = 203.2.75.2), and, indeed, that fails. He gave me the following log entries, though: --[ with src port = 53 ]-------- 15:33:03.472128 210.49.20.142.domain > 194.109.160.70.domain: [udp sum ok] 6636 A? asarian-host.net. [|domain] (ttl 64, id 13043, len 62) 15:33:03.802488 194.109.160.70.34336 > 210.49.20.142.domain: 6636*- q: A? Here it seems my BIND is indeed replying with a source port of 34336. Very peculiar. I have no idea how this is possible. :( Again, thank you for your time and energy. If you have any more bright ideas, not meant sarcastically, be sure to tell me. :) - Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message