From owner-freebsd-net@FreeBSD.ORG Fri Nov 12 21:56:23 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0D66106566C for ; Fri, 12 Nov 2010 21:56:23 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 8A6FC8FC0A for ; Fri, 12 Nov 2010 21:56:23 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 9BA71A67DDF; Sat, 13 Nov 2010 05:56:22 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id OvJ3WXrFM4z5; Sat, 13 Nov 2010 05:56:15 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 1143BA67DD5; Sat, 13 Nov 2010 05:56:11 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=VtOGycm+qHID9dQdUnTlc2R/ynuDHyJ/v9wvYgCnG91gnYCKO5yD+eqAb2XRMx+jH 5enZE0nQU04PcB+Izo0bA== Message-ID: <4CDDB7F8.4050005@delphij.net> Date: Fri, 12 Nov 2010 13:56:08 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.15) Gecko/20101028 Thunderbird/3.0.10 ThunderBrowse/3.3.2 MIME-Version: 1.0 To: "freebsd-net@freebsd.org" X-Enigmail-Version: 1.0.1 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: named: client (a broadcast address)#(port): error sending response: permission denied X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2010 21:56:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Since I have seen this issue resolved nowhere within Google results, I would like to post it here for future reference - its cause, how to work around it. Thanks for rwatson@ for his expertise. This is what I have seen on my own system: Nov 11 19:13:02 tarsier named[21464]: client 211.166.10.255#38500: error sending response: permission denied Which happens very frequently. ====== The cause: Some other system on the same subnet produced a DNS query, claiming it from the IP broadcast address (either full 1's or full 0's from the same subnet), and unicast to the system running a DNS service. named(8), in turn, attempts to respond the DNS query. When sending out the response packet, the destination IP address would be that IP broadcast address. The FreeBSD implementation (also other TCP/IP stacks I am aware of) does not permit this unless the socket have SO_BROADCAST, according to sendmsg(2) manual page. This EACCES would result in the messsage "error sending response: permission denied". Basically our TCP/IP stack is doing the right thing. ====== The workaround is to filter out the traffic from the offending host. I am not yet aware of which operating system did that. Another workaround is to patch named (contrib/bind9/bin/named/client.c) around the log and disable the whole log thing. ====== The fix is to either fix the offending host or remove it. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJM3bf4AAoJEATO+BI/yjfBc1AH/R/jt6/wS0Doy6o4cZairo3q zeYlQspPSNfBMI65OKl9F08iEI9kVSvfokgQg/eyriqtLre/upu2TnKyx+y/zDxX 4RD17i4lYqAnYP6Hp4z++yk8gKU10FZe0rlPjGZ14UV2WKgqPuAYXR5qIAFlB3Hz I/7okVNY6TahkgcCfZQ1mCtQPbXtHHsmM37HEkPPz7GbFNYNYTxp7Zb9tEhyE5Ye 4b/ocJuBSN12FY9GTsgeyGWMp2ZO6JhEUgwuThVYB6CU9oi56pIpVOFIgI0IW0Q6 UQh6N4VjcoRF9Z12uwqXgS84gPPAIbNZ8Pa3z5FkVpXoJOxT4rP9INU/mA5Ay+Q= =sgKB -----END PGP SIGNATURE-----