Recursive queries fail if query source port is not fixed

Kevin Darcy kcd at chrysler.com
Thu Aug 14 01:25:38 UTC 2008


Hans F. Nordhaug wrote:
> * Hans F. Nordhaug <Hans.F.Nordhaug at hiMolde.no> [2008-08-14]:
>   
>> * Jeff Lightner <jlightner at water.com> [2008-08-13]:
>>     
>>> My guess is you have a firewall that is only allowing port 53 outbound.
>>>
>>> Are you running iptables?  If so does turning it off temporarily resolve
>>> the issue?  Is there a firewall/switch upstream from your server that
>>> needs to be adjusted?
>>>
>>> We're running RHEL 5 with 9.3.4-P1 and it works fine here without the
>>> query port specified.   
>>>       
>> Thx for replying. As stated in the e-mail iptables does nothing[1]
>> and the Cisco router has no rules that limits traffic to port 53.
>> I just tested with "query-source port 40053;" and it worked without
>> any problems. (I even used tcpdump to verify that Bind used 40053
>> and not 53.) So the problem remains - recursive queries fails if the
>> query source port isn't fixed. (Any allowed fixed port number is OK.)
>>     
>
> Hm, I just read the "domain cannot resolve" thread:
>
>   Sounds a lot like the old "no query restart" behavior of BIND 8. It
>   would get part of the way through iterative resolution, then just stop
>   and wait for the client to time out and retry. Yuck.
>
> I tried to repeat the same query multiple times and finally it
> resolved ... I'm not forwarding (explicitly) to a BIND 8 server.
> However, this machine is a slave and the master is actually BIND 8.
>
> The tcp dumps doens't show any forwarding ...
>
>   
I don't think it's related. master/slave only applies to authoritative 
zones, and I'm assuming you don't have any problems querying names in 
your own authoritative zones.

                                                                         
                  - Kevin



More information about the bind-users mailing list