Random source port isn't random?
Ian Northeast
ian at house-from-hell.demon.co.uk
Wed Aug 6 21:55:33 UTC 2003
I am running bind 9.2.2 on SuSE Linux Enterprise Server 8 (2.4.19) to
provide caching nameservers for our mail exchanges.
I have specified the query-source address option but not the port
number. According to the documentation this should cause it to pick a
source port number at random at startup and use it for all queries.
What I find is that when named is started from an initialisation script
at boot time it always uses port 32768. This is at the bottom of the
ephemeral range in the default SuSE configuration.
My named is chrooted but the jail contains a /dev/random and AIUI bind
doesn't use /dev/random for this particular randomness. Also, if I run
it without the chroot on a test system it does the same thing. The named
start script runs after the one which reseeds the random number
generator.
So how does bind pick this "random" port number? I am not familiar with
the layout of the source and can't find the relevant part. Can someone
point me at the appropriate source file so I can check myself?
I would like this number to be truly random. In particular I need my two
caching servers serving my mail exchanges to use different ones. I know
I could do this by specifying it explicitly, differently, in the two but
this could break if by some chance the ports I specified happened to be
in use. I would like it to behave as documented.
This has come to light because of a misconfigured third party firewall
which is blocking UDP packets on source port 32768 (or possibly the
responses back to me). The admin's explanation was that he needed to do
this to protect his rpc.statd which listens on this port. I have
attempted to point out that he has this backwards but I suspect I will
not get anywhere. I also suspect that I will run into this sort of
misconfiguration in other places. If the two servers were almost
guaranteed to be using different source ports it would alleviate this
sort of problem considerably.
I have resolved the problem for now by restarting one of my caching
servers; it has picked up a different port number and we can now resolve
the domain in question (apu.ac.uk). But I need a permanant solution and
prefer not to hard code the port numbers.
Any ideas?
Regards, Ian
More information about the bind-users
mailing list