Problem with query-source

Neil Gunton neil at nilspace.com
Thu Jan 4 00:17:04 UTC 2001


Hi Mark, thanks for your reply. I checked the message log and actually
it was complaining about syntax errors on the allow-query lines, but it
turned out to just be missing semi-colons before the }. So I tried the
setup again and I am still getting the same behavior. I guess I hadn't
checked that before because by and large my setup has been working ok. I
suppose the syntax errors were not showstoppers as far as bind was
concerned. Anyway, all fixed now.

As for your second point, this is harder to address - or rather, is the
whole point of my question. I have obviously configured my firewall to
try and catch this traffic and log it, in order to demonstrate this
particular "bug". Usually I just let all outgoing traffic pass, since I
am the only user on my machines, and I have other security measures in
place which would alert me if anyone broke the outer defences and
planted a trojan. So it's generally easier to just let all outgoing
traffic pass.

At any rate, the point is that there should never even be any packets
which are leaving via udp from the DNS server, with a source port other
than 53. That's the whole idea behind the query-source line, as far as I
understand it. So my question stands: Have I misunderstood the
intent/usage of this command? Why is my server still sending out
requests (occasionally) on high ports when I have explicitly told it not
to?

Your point about not allowing out packets which I don't intend to allow
answers to is well taken, but that's kind of like telling someone who's
just been run over that they shouldn't be lying in the middle of the
road - it's kinda dangerous...

:)

Thanks again, and any further clues most welcome...

-Neil

Mark.Andrews at nominum.com wrote:
> 
>         I would suggest looking at the logs on this machine and verifying
>         that named loaded cleanly without reporting any errors.
> 
>         I would also be looking at the firewall configuration as it is
>         dumb to allow out a packet that you don't allow the answer to
>         back in.
> 
>         Mark
> 
> >
> > I am using RedHat Linux 7.0, bind 8.2.2 P7. My main (external) DNS is on
> > my firewall.
> >
> > I have the following in my /etc/named.conf:
> >
> > options {
> >       directory "/var/named";
> >       pid-file "/var/named/named.pid";
> >       allow-query { 10.0.0.0/8 };
> >       allow-transfer { 10.0.0.0/8 };
> >       allow-recursion { 10.0.0.0/8 };
> >       query-source address 216.220.99.3 port 53;
> > };
> >
> > As far as I can tell, this should result in my DNS server ONLY sending
> > requests from port 53. However I keep getting entries in my firewall
> > (ipchains) log similar to the following:
> >
> > Jan  3 12:32:55 firewall kernel: Packet log: output ACCEPT eth0 PROTO=17
> > 216.220.99.3:61000 198.41.0.10:53 L=71 S=0x00 I=27968 F=0x0000 T=63 (#1)
> > Jan  3 12:32:55 firewall kernel: Packet log: input DENY eth0 PROTO=17
> > 198.41.0.10:53 216.220.99.3:61000 L=379 S=0x00 I=34 F=0x4000 T=246 (#13)
> >
> > What this basically says is that my DNS server is sending from a high
> > port, in this case 61000, through udp. These high ports vary, they are
> > rarely the same. I have also noticed that this seems to happen mostly
> > with root servers.
> >
> > I have also tried using "query-source address * port 53;". No
> > difference.
> >
> > Am I misunderstanding the intended use of query-source, or is there
> > something else I need to be doing here? It is not easy for me to allow
> > random high ports and still keep good security.
> >
> > Any clues appreciated, and if more information is needed then I can
> > supply it. BTW, I also have an internal DNS server inside the firewall,
> > which uses the firewall as a forwarder. I don't think that should matter
> > here though, since the packets in question are coming from the firewall
> > itself.
> >
> > TIA,
> >
> > -Neil Gunton
> > NilSpace Inc
> > New York
> >
> >
> --
> Mark Andrews, Nominum Inc.
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com



More information about the bind-users mailing list