odd behaviour: BIND 9.3.3rc2

Tue Nov 27 19:38:37 UTC 2007

Ok, I see now... in this case the remote nameserver is misconfigured - it's
dropping any packet with a source port less than 1024... it should make an
exception for port 53.
Thanks

On Nov 26, 2007 5:36 PM, Mark Andrews <Mark_Andrews at isc.org> wrote:

>
> > Not sure if this one was ever resolved, but I'm seeing similar problems
> with
> > Bind 9.4.1p.  From limited testing it appears the problem is related to
> the
> > query-source port option.  Sometimes hosts will be configured to filter
> > packets that have a source port below 1024, it appears in this case the
> > query is never making it up to the nameserver when the query-source port
> is
> > 53, therefore no response.  When I comment out the query-source port
> option,
> > it works fine.
> > Unfortunately the query-source port option is necessary to get through
> the
> > firewall.  Am I understanding this correctly ?  - assuming the only way
> > around it is to configure another nameserver without this query-source
> port
> > option ?
>
>        The port value is for stateless firewalls and it can be any
>        port, it just has to be what is configured into the local
>        firewall.  53 is the recommended value because if you are
>        running a authoritative nameserver you have to open up port
>        53 to allow the queries in so by setting query soure to 53
>        you allow the replies is via the same hole in the firewall.
>
>        Any firewall that looks at the source port is misconfigured.
>
>        Mark
>
> > On Aug 29, 2007 9:20 AM, Felipe Ceglia - PY1NB <
> felipe-listas at terenet.com.br>
> > wrote:
> >
> > > Hello again, bind gurus,
> > >
> > > I am running BIND 9.3.3rc2 on a centos box.
> > >
> > > It happens that I cant resolve some hosts, like:
> > >
> > > dig redelagos.com.br
> > > dig teresopolis.unimed.com.br
> > >
> > > And I can resolve it from other dns servers.
> > >
> > > Surely there is something wrong, but I cant figure what.
> > >
> > > Any ideas?
> > >
> > >
> > > My /etc/named.conf looks like:
> > >
> > > options
> > > {
> > >        query-source    port 53;
> > >        query-source-v6 port 53;
> > >        directory "/var/named"; // the default
> > >        dump-file               "data/cache_dump.db";
> > >        statistics-file         "data/named_stats.txt";
> > >        memstatistics-file      "data/named_mem_stats.txt";
> > >
> > > };
> > > logging
> > > {
> > >        channel default_debug {
> > >                file "data/named.run";
> > >                severity dynamic;
> > >        };
> > > };
> > > view "internal"
> > > {
> > >        include "/etc/named.root.hints";
> > > };
> > > //
> > > view    "external"
> > > {
> > > recursion yes;
> > > zone "." IN {
> > >        type hint;
> > >        file "named.root";
> > > };
> > > zone "domain.com" {
> > >        type master;
> > >        file "named.domain.com";
> > > };
> > >
> > > };
> > >
> > >
> > >
> >
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>