BIND, Ethereal, msproxy, etc.

dbotham at dbotham at
Mon Jun 10 14:50:43 UTC 2002


BIND uses a high number ephemeral port number for the source port of its
queries by default.  However, you can change this behavior with the
named.conf "option" of:




|         |           Ed Sawicki       |
|         |           <ed at>|
|         |           Sent by:         |
|         |           bind-users-bounce|
|         |          |
|         |                            |
|         |                            |
|         |           06/07/2002 03:51 |
|         |           PM               |
|         |                            |
  |                                                                                                                              |
  |       To:       comp-protocols-dns-bind at                                                                              |
  |       cc:                                                                                                                    |
  |       Subject:  BIND, Ethereal, msproxy, etc.                                                                                |

I just installed the latest version of Ethereal and immediately noticed
that some packets on my network were being decoded as "msproxy". I
quickly realized that these were DNS queries sent by my DNS server
(BIND 8.2.4 on Linux) to remote DNS servers - seemingly plain old DNS

Ethereal decodes them as the msproxy protocol because my DNS
server was using a source port of 1745, which Ethereal thinks is
the msproxy protocol even though IANA's port list refers to this as
remote-winsock. Ethereal's hex-ascii display made it clear that
these were DNS queries. I assume that Ethereal is messed up. For
packets with a source port of 1745 and destination port of 53, it
favors the registered port 1745 over the well-known port 53.

I thought that BIND just happened to use 1745 as its ephemeral port
for the packet exchange I just happened to capture. However, I
captured several hundred more packets and BIND seems to be using
port 1745 for all it's queries. I checked
/proc/sys/net/ipv4/ip_local_port_range and it reports 49000 60000.

It seems that BIND 8.2.4 is not using ephemeral ports but rather uses
1745. I did not configure this in named.conf. Is this normal


-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: This is a digitally signed message part

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


More information about the bind-users mailing list