BIND, Ethereal, msproxy, etc.
Ed Sawicki
ed at alcpress.com
Fri Jun 7 19:51:01 UTC 2002
I just installed the latest version of Ethereal and immediately noticed
that some packets on my network were being decoded as "msproxy". I
quickly realized that these were DNS queries sent by my DNS server
(BIND 8.2.4 on Linux) to remote DNS servers - seemingly plain old DNS
queries.
Ethereal decodes them as the msproxy protocol because my DNS
server was using a source port of 1745, which Ethereal thinks is
the msproxy protocol even though IANA's port list refers to this as
remote-winsock. Ethereal's hex-ascii display made it clear that
these were DNS queries. I assume that Ethereal is messed up. For
packets with a source port of 1745 and destination port of 53, it
favors the registered port 1745 over the well-known port 53.
I thought that BIND just happened to use 1745 as its ephemeral port
for the packet exchange I just happened to capture. However, I
captured several hundred more packets and BIND seems to be using
port 1745 for all it's queries. I checked
/proc/sys/net/ipv4/ip_local_port_range and it reports 49000 60000.
It seems that BIND 8.2.4 is not using ephemeral ports but rather uses
1745. I did not configure this in named.conf. Is this normal
operation?
Ed
-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9AQ6loTYTZDP9T2ERAnRvAKCZHVww0ySmOGpbhP/lxseuXNXZegCgo35n
UPYMa065d5djgSzcNVuRsvw=
=xauv
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list