With the advent of NSD which in normal operations would be configured to
not even use port 53, and a dilemma (noted below), I had a need to try and
query NSD directly on a port other than port 53.
I could not do such tests from an OpenBSD machine because in 6.0, the port
command on 'nslookup' is disabled and the option 'p', -pPORT#, on 'dig' is
tweaked to not change anything. See further below.
In my case, I was seeking proof that an ISP was blocking port 53 traffic.
While I could 'rdr-to' any port I wanted in my efforts to help diagnose
the problem and prove that the issue was the ISP and not my 'nsd' or 'pf'
configuration, querying with a 6.0 OpenBSD 'dig' was fruitless. Luckily I
had a Linux machine which could query any port I wanted and I could then
let 'pf' on the firewall map from any weird port number, say 12053, 10053,
or even 8080 to the port on which NSD was listening. Any port except 53
worked. I then knew that my configuration was not at fault. I had already
proven that my 'pf' configuration was not blocking port 53 but I am a
novice using 'nsd' and its idea of listening on a port other than 53 and
having the local caching nameserver 'unbound' querying it on that port.
Handling external machines which want to use 53 is easy, 'pf' redirect of
external DNS traffic to that same NSD port. I eventually found an old
OpenBSD box which has a version of dig which did allow '-pPORT#'.
It turns out that the ISP was blocking ports 53 (and 139 but nothing else)
for some weird reason, even though the ISP said they were not blocking any
ports. The ISP internal systems let the, block a a whole range of ports
like 25, 53, 80, 8080, for non-business, i.e. 'residential', customers.
But for a 'business' account, for which they charge a premium, they leave
all ports open and let the user sort out protection or do whatever they
want. So my problem was solved.
Anyway, my question is, should we limit nslookup or dig to query solely on
port 53. I notice that the difference between a old version of OpenBSD dig
which allows the '-pPORT#', and that of '6.0' which does not, is just
#include <unistd.h>
151d151
< " -p port (specify port number)\n"
1194c1194,1197
< port = (in_port_t) parse_uint(value, "port number", MAXPORT);
---
if (parse_uint(value, "port number", MAXPORT) != 53) {
fprintf(stderr, ";; Error, only port 53 supported\n");
exit(1);
}
1755a1759,1763
if (pledge("stdio rpath dns", NULL) == -1) {
perror("pledge");
exit(1);
}
1762a1771,1776
if (pledge("stdio dns", NULL) == -1) {
perror("pledge");
exit(1);
}
Maybe I need more enlightening on my poor understanding of pledge as to
why restricting the port number to only 53 is needed.
Thanks - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
