On 21/03/2012 09:41, Matus UHLAR - fantomas wrote: > maybe the admin set that up to force local servers using random ports, > instead of 53, for outgoing requests. Nobody should use port 53 for > _ougtoing_ requests.
You're wrong. A name server can use any source port from 1 up to 65535 for an outgoing query, as long as that port is not in use by any other process on the system. In fact, up until Kaminsky's revelation, many BIND servers used a fixed source port of 53. >> bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com >> 09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? >> www.dubaiairport.com. ar: OPT UDPsize=4096 (49) >> 09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? >> www.dubaiairport.com. ar: OPT UDPsize=4096 (49) >> 09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? >> www.dubaiairport.com. ar: OPT UDPsize=4096 (49) >> >> ; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com >> @svr-b003.dubaiairport.com >> ;; global options: +cmd >> ;; connection timed out; no servers could be reached >> bsdi# There appear to be firewalls in front of the name servers of dubaiairport.com which drop all queries with a source port less than 1024. I just tried several queries with low-numbered source ports, and they all failed until I got to 1024. Then they began replying to all my queries. Babu Dheen, if you're reading this, take note. The problem has been identified. Find a contact at dubaiairport.com, and tell him to fix his firewall. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
