non-query socket errors coming to port 53

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Fri May 18 00:43:32 UTC 2001


	You can get this error if, as you are, using a query-source
	bound to port 53 and are not listening on *all* interfaces.

	This could be of listen-on restricting the interfaces or
	a interface was brought up since the last interface scan
	or when named was started (named -u uid).

	The usuall way to fix this is to use a different fixed port in
	query-source and adjust your firefall.

	Mark
> 
> Hi...
> 
> Jim Reid wrote:
> > 
> > >>>>> "susan" == susan hall <suehall at prodigy.net> writes:
> > 
> >     susan> 17-May-2001 13:21:17.922 refused query on non-query socket
> >     susan> from [64.20.240.240].1554
> > 
> >     susan> But all the servers here running named send queries on port
> >     susan> 53, without these errors.  All are configured with the
> >     susan> query-source address set.
> > 
> 
> 
> > Are you sure about that? What's in the name server logs at start-up or
> > after a reload?
> 
> In my startup messages is:
> 
> 17-May-2001 11:17:16.960 default: info: Forwarding source address is
> [0.0.0.0].53
> 
> The named.conf statement is:        query-source address * port 53;
> 
>  How about running lsof on named to check what files
> > and sockets it is actually using?
> 
> All TCP and UDP sockets shown up by lsof are on port: domain, as in:
> 
> named      7602  root   28u  IPv4 0x7033e500        0t0   UDP
> xxx1.yyy.com:domain 
> named      7602  root   29u  IPv4 0x7033dedc        0t0   TCP
> xxx2.yyy.com:domain (LISTEN)
> > 
> > The above error message implies that the name server is not using port
> > 53 when it makes outgoing queries. It's complaining because it's
> > getting queries on the socket (port number) it is using. The default
> > behaviour in BIND[89] is to use a random unprivileged port number when
> > querying other name servers. tese queries are *sent* to port 53
> > obviously. Nothing should be sending data to that outbound query port
> > number. So it looks like you haven't set up query-source
> > correctly. And there's probably something doing a port scan of your
> > name server. When it sends something to the port number that the name
> > server is using for its outbound queries, the server logs this
> > message, believing the data it got was a query, whether it was a DNS
> > query or not.
> 
> Here's a security message logged:
> 
> 17-May-2001 13:21:17.922 refused query on non-query socket from
> [64.20.240.240].1554
> 
> Here's the iptraced packet that caused it:
> 
> ====( 69 bytes received on interface en0 )==== 13:21:17.916016837
> ETHERNET packet : [ 00:06:29:ac:39:8a -> 00:06:29:ac:39:2a ]  type 800 
> (IP)
> IP header breakdown:
>         < SRC =   64.20.240.240 >  
>         < DST =   198.83.19.241 >  
>         ip_v=4, ip_hl=20, ip_tos=0, ip_len=55, ip_id=17961, ip_off=0
>         ip_ttl=119, ip_sum=f243, ip_p = 17 (UDP)
> UDP header breakdown:
>         <source port=1554, <destination port=53(domain) >
>         [ udp length = 35 | udp checksum = 2e63 ]
> DNS Packet breakdown:
>     QUESTIONS:
>         search.vu, type = A, class = IN
> 
> The above query was not answered.  Three secs. later this ip made
> another dns query, from port 1556, and it was answered.  During this I
> was tracing both all requests to and from port 53, and all requests to
> and from the adaptor card.  There were no other requests from this
> address on any other port.
> 
> Also in the trace, I can see my box sending dns queries to other
> nameservers, and it is always port 53 -> port 53.
> 
> Thanks, Susan
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com


More information about the bind-users mailing list