BIND, Ethereal, msproxy, etc.

dbotham at edeltacom.com dbotham at edeltacom.com
Mon Jun 10 14:50:43 UTC 2002



Ed,

BIND uses a high number ephemeral port number for the source port of its
queries by default.  However, you can change this behavior with the
named.conf "option" of:

quere-source-port...



Thanks,

Dave...


|---------+---------------------------->
|         |           Ed Sawicki       |
|         |           <ed at alcpress.com>|
|         |           Sent by:         |
|         |           bind-users-bounce|
|         |           @isc.org         |
|         |                            |
|         |                            |
|         |           06/07/2002 03:51 |
|         |           PM               |
|         |                            |
|---------+---------------------------->
  >------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                              |
  |       To:       comp-protocols-dns-bind at isc.org                                                                              |
  |       cc:                                                                                                                    |
  |       Subject:  BIND, Ethereal, msproxy, etc.                                                                                |
  >------------------------------------------------------------------------------------------------------------------------------|




I just installed the latest version of Ethereal and immediately noticed
that some packets on my network were being decoded as "msproxy". I
quickly realized that these were DNS queries sent by my DNS server
(BIND 8.2.4 on Linux) to remote DNS servers - seemingly plain old DNS
queries.

Ethereal decodes them as the msproxy protocol because my DNS
server was using a source port of 1745, which Ethereal thinks is
the msproxy protocol even though IANA's port list refers to this as
remote-winsock. Ethereal's hex-ascii display made it clear that
these were DNS queries. I assume that Ethereal is messed up. For
packets with a source port of 1745 and destination port of 53, it
favors the registered port 1745 over the well-known port 53.

I thought that BIND just happened to use 1745 as its ephemeral port
for the packet exchange I just happened to capture. However, I
captured several hundred more packets and BIND seems to be using
port 1745 for all it's queries. I checked
/proc/sys/net/ipv4/ip_local_port_range and it reports 49000 60000.

It seems that BIND 8.2.4 is not using ephemeral ports but rather uses
1745. I did not configure this in named.conf. Is this normal
operation?

Ed



-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9AQ6loTYTZDP9T2ERAnRvAKCZHVww0ySmOGpbhP/lxseuXNXZegCgo35n
UPYMa065d5djgSzcNVuRsvw=
=xauv
-----END PGP SIGNATURE-----










More information about the bind-users mailing list