zone transfers sticking on one port?
Mark Andrews
Mark_Andrews at isc.org
Mon Mar 15 23:56:23 UTC 2004
> I'm seeing what I think is an odd behavior with named, and want to know if
> this is in fact how things should work.
>
> We had blocked port 39999 on our border to help deal with the Beagle
> virus. We found out eventually that this was causing slave transfers to
> from our nameserver to an off-site secondary to fail with the "failure
> trying master error...:timed out"
>
> I actually did a sniff, and I could just see all these UDP requests going
> on on 39999 and not getting answered. Other ports were obviously going
> through ok.
>
> Why was named hanging up on this port? Shouldn't it just brush this off
> and try another port >1023? This doesn't make any sense to me. chris
Failure to get a answer is not normally a reason to change
port. It normally indicates that a host / link is down.
Changing port is not a indicated solution to this problem.
Even if named was capable of receiving the ICMP message
(your firewall does generate a ICMP message?) there is
nothing in ICMP messages to say "Try a different source
port".
Blocking non-reserved ports is always fraught with danger.
You will be creating problems for all applications that may
use that port not just the malware. You just happened to
see the problems with named.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list