Recursive queries fail if query source port is not fixed
Hans F. Nordhaug
Hans.F.Nordhaug at hiMolde.no
Thu Aug 14 05:24:19 UTC 2008
* Kevin Darcy <kcd at chrysler.com> [2008-08-14]:
> Hans F. Nordhaug wrote:
> > * Hans F. Nordhaug <Hans.F.Nordhaug at hiMolde.no> [2008-08-14]:
> >
> >> * Jeff Lightner <jlightner at water.com> [2008-08-13]:
> >>
> >>> My guess is you have a firewall that is only allowing port 53 outbound.
> >>>
> >>> Are you running iptables? If so does turning it off temporarily resolve
> >>> the issue? Is there a firewall/switch upstream from your server that
> >>> needs to be adjusted?
> >>>
> >>> We're running RHEL 5 with 9.3.4-P1 and it works fine here without the
> >>> query port specified.
> >>>
> >> Thx for replying. As stated in the e-mail iptables does nothing[1]
> >> and the Cisco router has no rules that limits traffic to port 53.
> >> I just tested with "query-source port 40053;" and it worked without
> >> any problems. (I even used tcpdump to verify that Bind used 40053
> >> and not 53.) So the problem remains - recursive queries fails if the
> >> query source port isn't fixed. (Any allowed fixed port number is OK.)
> >>
> >
> > Hm, I just read the "domain cannot resolve" thread:
> >
> > Sounds a lot like the old "no query restart" behavior of BIND 8. It
> > would get part of the way through iterative resolution, then just stop
> > and wait for the client to time out and retry. Yuck.
> >
> > I tried to repeat the same query multiple times and finally it
> > resolved ... I'm not forwarding (explicitly) to a BIND 8 server.
> > However, this machine is a slave and the master is actually BIND 8.
> >
> > The tcp dumps doens't show any forwarding ...
> >
> >
> I don't think it's related. master/slave only applies to authoritative
> zones, and I'm assuming you don't have any problems querying names in
> your own authoritative zones.
You are assuming correctly. I just wanted to provide as much info as
possible...
Hans
More information about the bind-users
mailing list