Unreachable port

[Paul Kosinski]

Since upgrading to BIND 9.4.1-P1 -- which has been running fine since
Sep 1 -- I have been logging queries on one of my lightly loaded
servers. I doing so, I notice that several times per day I get a
query which, when I reply to it, I get back ICMP Port Unreachable
(reported via iptables logging). These happen on both A and MX
queries, and come from various IP blocks. 

The ICMP packets claim to come from the same IP address that sent the
request. This is peculiar, as it suggests that that computer is still
running -- so why doesn't it accept the reply? 

I suppose it could be that the requesting process terminated before
the reply came back -- but the ICMP comes back within a second of the
DNS query having arrived at my server. 

Alternatively, if the requesting computer were on a NAT-ed subnet
(and went down), the NAT gateway ought to be replying Host
Unreachable, not Port Unreachable.

The only other explanation I can think of is that people are spoofing
the source IP in DNS queries in order to cause trouble. But the load
on *my* server is almost not noticeable, so it would have to be that
they are targeting the DNS reply-to IP. But that is a pretty random
port number, which might be blocked except when expecting a reply.

Does anyone have any thoughts on this? 

Paul Kosinski