query source oddity

Jim Reid jim at rfc1035.com
Fri Dec 17 21:02:21 UTC 1999


>>>>> "Daniel" == Daniel Baird <daniel at optus.net.au> writes:

    Daniel> 192.65.x.x is my home server running 8.2.2-P5 WITHOUT the
    Daniel> query source directive 202.139.x.x is a name server
    Daniel> running 8.2.2-P5 WITH the query source directive

    Daniel> [query from 192.65.x.x to 202.139.x.x] 
    Daniel> 192.65.x.x.1083 > 202.139.x.x.domain: 22516+ (45)
    Daniel> 202.139.x.x.domain > 192.65.x.x.1083: 22516* 1/3/3 (259) (DF)
    Daniel> 192.65.x.x.1083 >202.139.x.x.domain: 63672+ (44)
    Daniel> 202.139.x.x.domain > 192.65.x.x.1083: 63672* 1/4/4 (249) (DF)
    Daniel> 192.65.x.x.1083 > 202.139.x.x.domain: 45154+ (44) 
    Daniel> 202.139.x.x.domain >192.65.x.x.1083: 45154* 1/2/2 (180) (DF)

    Daniel> [query from 202.139.x.x to 192.65.x.x] 
    Daniel> 202.139.x.x.domain > 192.65.x.x.domain: 40059 SOA? tristre.com. (29) (DF)
    Daniel> 192.65.x.x.domain > 202.139.x.x.domain: 40059* 1/2/2 (167)

The above tcpdump output is consistent with what you've outlined. We
first see queries from some random non-privileged port (1083 in this
case) on 192.65.x.x to 202.139.x.x. [Why hide the addresses?] These
have to go to port 53 on that server obviously. Since 192.65.x.x isn't
using the query-source option, its queries will be sent from a random
non-prvileged port number. Each query is followed by a reply from
202.139.x.x to 192.65.x.x. For each reply, the destination and source
addresses and port numbers get swapped. This is how it should be.

The second case shows a query from 202.139.x.x - this time using port
53 - to the name server on 192.65.x.x. This time the outgoing query
uses port 53 because that's what you've configured the name server on
202.139.x.x to do through the query-source clause.

What do you think is wrong? Could you be thinking that the replies
from the other name server are queries?

The second tcpdump output is a little more helpful. "SOA? tristre.com"
indicates that 202.139.x.x asked for the SOA record for that domain.
That query had a query ID of 40059. The "1/2/2" shows that the reply
contained 1 RR in the answer section, 2 in the authority section and 2
in the additional information section. Presumably these are the
zone's SOA record, its 2 NS records and the IP addresses of those name
servers respectively. The (DF) indicates that the Don't Fragment bit
was sent in the packets - it always is in DNS queries. IIRC the number
in parentheses is the query or reply length.


More information about the bind-users mailing list