----- Original Message ----- From: "Matthew Seaman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 28, 2003 1:52 PM Subject: Re: How to stop BIND from using high ports?
> On Tue, Jan 28, 2003 at 11:29:28AM +0100, Mark wrote: > > > I am having a bit of a problem. One might say, a serious problem. :( > > When other servers query my name servers, they send queries with a > > source port of 53; but apparently my BIND (8.3.4) is responding from > > a high port (seemingly random). And this is causing some trouble. :( > > How can I prevent that?? > > > >In my "options" section I have > > > > query-source address * port 53; Hi Matthew, Yours was a very useful reply. :) I truly appreciate your time and effort here. And your dynamic rules were equally useful. > Looks right to me. You might also want to investigate: > > transfer-source 184.108.40.206 port 53; > notify-source 220.127.116.11 port 53; > > if you have off-site secondaries. Check that the syntax is correct > for Bind8 --- I just copied that out of my Bind9 config. I don't think you can specify a port for "transfer-source" in BIND 8.x, but as I only allow XFRs from trusted parties, this should not be an issue, I think. > > But my log is filled with entries like these: > > > > Accept UDP 10.0.0.2:53 18.104.22.168:53 out via rl0 > > Accept UDP 10.0.0.2:53 22.214.171.124:32852 out via rl0 > > Accept UDP 10.0.0.2:53 126.96.36.199:32852 out via rl0 > > > > Which seems to suggest that for outgoing UDP a random high port is > > being used. :( And I do not understand why. :( > I assume that 10.0.0.2 is the IP number of your DNS machine. Yes. > Then it would appear to be doing exactly what it's been told to. All the > replies it sends have the source IP address of the machine and the > *source* port 53. You know what? You are absolutely right. :) I guess I read it wrong, in my panic (kernel is not the only one prone to panic attacks). Problem is, an ISP in Australia cannot resolve me; and, as I wrote the admin, he responded: "Our name servers are configured to send queries with a source port of 53 .. but when we do so, you respond from a high port? ... I suspect that bind is throwing away your replies because they don't match the expected response ip/port combination." I tried to resolve my domain name via their name server ("ns1.optusnet.com.au" = 188.8.131.52), and, indeed, that fails. He gave me the following log entries, though: --[ with src port = 53 ]-------- 15:33:03.472128 184.108.40.206.domain > 220.127.116.11.domain: [udp sum ok] 6636 A? asarian-host.net. [|domain] (ttl 64, id 13043, len 62) 15:33:03.802488 18.104.22.168.34336 > 22.214.171.124.domain: 6636*- q: A? Here it seems my BIND is indeed replying with a source port of 34336. Very peculiar. I have no idea how this is possible. :( Again, thank you for your time and energy. If you have any more bright ideas, not meant sarcastically, be sure to tell me. :) - Mark To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message