Date: Tue, 28 Jan 2003 16:31:45 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Re: How to stop BIND from using high ports? Message-ID: <20030128163145.GB22731@happy-idiot-talk.infracaninophi> In-Reply-To: <200301281512.H0SFC1991673@asarian-host.net> References: <200301281029.H0SATM937146@asarian-host.net> <20030128125210.GB20406@happy-idiot-talk.infracaninophi> <200301281512.H0SFC1991673@asarian-host.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--0eh6TmSyL6TZE2Uz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 28, 2003 at 04:11:51PM +0100, Mark wrote:
> ----- Original Message -----
> From: "Matthew Seaman" <m.seaman@infracaninophile.co.uk>
> To: <freebsd-questions@FreeBSD.ORG>
> Sent: Tuesday, January 28, 2003 1:52 PM
> Subject: Re: How to stop BIND from using high ports?
>=20
>=20
> > On Tue, Jan 28, 2003 at 11:29:28AM +0100, Mark wrote:
>=20
> > I assume that 10.0.0.2 is the IP number of your DNS machine.
>=20
> Yes.
>=20
> > Then it would appear to be doing exactly what it's been told to. All the
> > replies it sends have the source IP address of the machine and the
> > *source* port 53.
>=20
> You know what? You are absolutely right. :) I guess I read it wrong, in my
> panic (kernel is not the only one prone to panic attacks).
>=20
> Problem is, an ISP in Australia cannot resolve me; and, as I wrote the
> admin, he responded:
>=20
> "Our name servers are configured to send queries with a source port of 53=
..
> but when we do so, you respond from a high port? ... I suspect that bind =
is
> throwing away your replies because they don't match the expected response
> ip/port combination."
>=20
> I tried to resolve my domain name via their name server
> ("ns1.optusnet.com.au" =3D 203.2.75.2), and, indeed, that fails. He gave =
me
> the following log entries, though:
>=20
> --[ with src port =3D 53 ]--------
> 15:33:03.472128 210.49.20.142.domain > 194.109.160.70.domain: [udp sum o=
k]
> 6636 A? asarian-host.net. [|domain] (ttl 64, id 13043, len 62)
> 15:33:03.802488 194.109.160.70.34336 > 210.49.20.142.domain: 6636*- q: A?
>=20
> Here it seems my BIND is indeed replying with a source port of 34336. Very
> peculiar. I have no idea how this is possible. :(
Is your nameserver perhaps behind a NAT gateway? Does this option
=66rom the natd(8) man page seem relevant to you?
-same_ports | -m
Try to keep the same port number when altering outgoing pa=
ck-
ets. With this option, protocols such as RPC will have a
better chance of working. If it is not possible to mainta=
in
the port number, it will be silently changed as per normal.
I've seen a similar effect with NTP passing through a NAT'ing firewall
before now. NTP expects both source and destination ports to be 123,
and it got perplexed by packets sent to port 123 apparently from some high
numbered port.
The -same_ports option will mostly work, but the only completely
effective answer is to provide nameservice from an internet registered
address. As it seems that ns1.asarian-host.net and
ns2.asarian-host.net are both the same machine (or at least, are
sharing the same IP address) which is therefore your one and only
registered IP number and probably your NAT gateway, I think your best
bet is to find someone on a different part of the net to 2ary for you.
If your ISP won't do it or is too expensive, look at
eg. http://www.gradwell.com/services/sec_dns.cfm?cfid=3D258474&cftoken=3D21=
163252
(Which, I happen to know, is hosted on FreeBSD boxes)
You can always set up your machine as domain master (so you control
the content), but register the domain using a couple of well connected
secondary NS's (which will get all the traffic).
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--0eh6TmSyL6TZE2Uz
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+NrBxdtESqEQa7a0RAvv8AJ4mlliIIp+fQkfQml5kSSs/5f/JawCePfN/
evvhKY2uGu4KLSTaoVmzIIk=
=JGYN
-----END PGP SIGNATURE-----
--0eh6TmSyL6TZE2Uz--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128163145.GB22731>