----- Original Message -----
From: "Matthew Seaman" <[EMAIL PROTECTED]>
Sent: Tuesday, January 28, 2003 1:52 PM
Subject: Re: How to stop BIND from using high ports?

> On Tue, Jan 28, 2003 at 11:29:28AM +0100, Mark wrote:
> > I am having a bit of a problem. One might say, a serious problem. :(
> > When other servers query my name servers, they send queries with a
> > source port of 53; but apparently my BIND (8.3.4) is responding from
> > a high port (seemingly random). And this is causing some trouble. :(
> > How can I prevent that??
> >
> >In my "options" section I have
> >
> > query-source address * port 53;

Hi Matthew,

Yours was a very useful reply. :) I truly appreciate your time and effort
here. And your dynamic rules were equally useful.

> Looks right to me. You might also want to investigate:
>    transfer-source port 53;
>    notify-source port 53;
> if you have off-site secondaries. Check that the syntax is correct
> for Bind8 --- I just copied that out of my Bind9 config.

I don't think you can specify a port for "transfer-source" in BIND 8.x, but
as I only allow XFRs from trusted parties, this should not be an issue, I

> > But my log is filled with entries like these:
> >
> > Accept UDP out via rl0
> > Accept UDP out via rl0
> > Accept UDP out via rl0
> >
> > Which seems to suggest that for outgoing UDP a random high port is
> > being used. :( And I do not understand why. :(

> I assume that is the IP number of your DNS machine.


> Then it would appear to be doing exactly what it's been told to. All the
> replies it sends have the source IP address of the machine and the
> *source* port 53.

You know what? You are absolutely right. :) I guess I read it wrong, in my
panic (kernel is not the only one prone to panic attacks).

Problem is, an ISP in Australia cannot resolve me; and, as I wrote the
admin, he responded:

"Our name servers are configured to send queries with a source port of 53 ..
but when we do so, you respond from a high port? ... I suspect that bind is
throwing away your replies because they don't match the expected response
ip/port combination."

I tried to resolve my domain name via their name server
("ns1.optusnet.com.au" =, and, indeed, that fails. He gave me
the following log entries, though:

--[ with src port = 53 ]--------
15:33:03.472128 >  [udp sum ok]
6636 A? asarian-host.net. [|domain] (ttl 64, id 13043, len 62)
15:33:03.802488 >  6636*- q: A?

Here it seems my BIND is indeed replying with a source port of 34336. Very
peculiar. I have no idea how this is possible. :(

Again, thank you for your time and energy. If you have any more bright
ideas, not meant sarcastically, be sure to tell me. :)

- Mark

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to