Recursive queries fail if query source port is not fixed
Kevin Darcy
kcd at chrysler.com
Thu Aug 14 01:25:38 UTC 2008
Hans F. Nordhaug wrote:
> * Hans F. Nordhaug <Hans.F.Nordhaug at hiMolde.no> [2008-08-14]:
>
>> * Jeff Lightner <jlightner at water.com> [2008-08-13]:
>>
>>> My guess is you have a firewall that is only allowing port 53 outbound.
>>>
>>> Are you running iptables? If so does turning it off temporarily resolve
>>> the issue? Is there a firewall/switch upstream from your server that
>>> needs to be adjusted?
>>>
>>> We're running RHEL 5 with 9.3.4-P1 and it works fine here without the
>>> query port specified.
>>>
>> Thx for replying. As stated in the e-mail iptables does nothing[1]
>> and the Cisco router has no rules that limits traffic to port 53.
>> I just tested with "query-source port 40053;" and it worked without
>> any problems. (I even used tcpdump to verify that Bind used 40053
>> and not 53.) So the problem remains - recursive queries fails if the
>> query source port isn't fixed. (Any allowed fixed port number is OK.)
>>
>
> Hm, I just read the "domain cannot resolve" thread:
>
> Sounds a lot like the old "no query restart" behavior of BIND 8. It
> would get part of the way through iterative resolution, then just stop
> and wait for the client to time out and retry. Yuck.
>
> I tried to repeat the same query multiple times and finally it
> resolved ... I'm not forwarding (explicitly) to a BIND 8 server.
> However, this machine is a slave and the master is actually BIND 8.
>
> The tcp dumps doens't show any forwarding ...
>
>
I don't think it's related. master/slave only applies to authoritative
zones, and I'm assuming you don't have any problems querying names in
your own authoritative zones.
- Kevin
More information about the bind-users
mailing list