Recursive queries fail if query source port is not fixed

Hans Fredrik Nordhaug hansfn at gmail.com
Tue Aug 12 12:34:47 UTC 2008 

In the quest for securing the name servers in a company I try to help,
I have gotten into to trouble. The company is running CentOS 5.0 and I
have updated their Bind to 9.3.4_P1. In addition, I planned to remove
the "query-source port 53;" from /etc/named.conf so the servers aren't 
vulnerable to cache poisoning.

The problem is that recursive queries fails if I remove 
"query-source port 53;". I have check iptables on the servers and the 
rules on the Cisco ASA and there isn't anything limiting the traffic
to port 53 - which I think the dumps below (from tcpdump) confirms.

(I have tested with a lookup on for the A record for www.uib.no.)

Output from tcpdump when query-source = 53:

16:02:22.263932 IP g4.tibe.no.domain > i.root-servers.net.domain:  50269 [1au] A? www.uib.no. (39)
16:02:22.263988 IP g4.tibe.no.domain > i.root-servers.net.domain:  46377 [1au] NS? . (28)
16:02:22.279513 IP i.root-servers.net.domain > g4.tibe.no.domain:  50269- 0/6/7 (246)
16:02:22.280013 IP i.root-servers.net.domain > g4.tibe.no.domain:  46377*- 13/0/20 NS G.ROOT-SERVERS.NET.,[|domain]
16:02:22.281367 IP g4.tibe.no.domain > x.nic.no.domain:  49597 [1au] A? www.uib.no. (39)
16:02:22.297003 IP x.nic.no.domain > g4.tibe.no.domain:  49597- 0/4/5 (189)
16:02:22.297889 IP g4.tibe.no.domain > nn.uninett.no.domain:  62217 [1au] A? www.uib.no. (39)
16:02:22.320987 IP nn.uninett.no.domain > g4.tibe.no.domain:  62217*- 2/5/5 CNAME webber.uib.no., (247)
16:02:22.322167 IP g4.tibe.no.domain > alf.uib.no.domain:  23507 [1au] A? webber.uib.no. (42)
16:02:22.343475 IP alf.uib.no.domain > g4.tibe.no.domain:  23507*- 1/5/5 A webber.uib.no (229)

Output from tcpdump when query-source != 53:

16:00:54.387047 IP g4.tibe.no.53099 > i.root-servers.net.domain:  13547 [1au] A? www.uib.no. (39)
16:00:54.402614 IP i.root-servers.net.domain > g4.tibe.no.53099:  13547- 0/6/7 (246)
16:00:54.403877 IP g4.tibe.no.58817 > njet.norid.no.domain:  13667 [1au] A? www.uib.no. (39)
16:00:54.524293 IP njet.norid.no.domain > g4.tibe.no.58817:  13667- 0/4/5 (189)

(What's going on?)

I have also turned on debugging in Bind for a failed query. From 
/var/named/data/named.run:

client 213.161.248.67#42873: UDP request
client 213.161.248.67#42873: view external: using view 'external'
client 213.161.248.67#42873: view external: request is not signed
client 213.161.248.67#42873: view external: recursion available
client 213.161.248.67#42873: view external: query
client 213.161.248.67#42873: view external: query (cache) 'uib.no/A/IN' approved
client 213.161.248.67#42873: view external: replace
clientmgr @0x8655330: createclients
clientmgr @0x8655330: recycle
client @0x87b1a18: udprecv
createfetch: uib.no A
fctx 0xb420a110(uib.no/A'): create
fctx 0xb420a110(uib.no/A'): join
fetch 0xb4215928 (fctx 0xb420a110(uib.no/A)): created
fctx 0xb420a110(uib.no/A'): start
fctx 0xb420a110(uib.no/A'): try
fctx 0xb420a110(uib.no/A'): cancelqueries
fctx 0xb420a110(uib.no/A'): getaddresses
fctx 0xb420a110(uib.no/A'): query
fctx 0xb420a110(uib.no/A'): done
fctx 0xb420a110(uib.no/A'): stopeverything
fctx 0xb420a110(uib.no/A'): cancelqueries
dns_adb_destroyfind on find 0xb42146e8
dns_adb_destroyfind on find 0xb4213e98
dns_adb_destroyfind on find 0x86a94a0
dns_adb_destroyfind on find 0xb4210dc8
dns_adb_destroyfind on find 0xb4201038
dns_adb_destroyfind on find 0xb4203c78
dns_adb_destroyfind on find 0xb4215310
dns_adb_destroyfind on find 0x86a8b10
dns_adb_destroyfind on find 0xb420de68
dns_adb_destroyfind on find 0x872d7e0
dns_adb_destroyfind on find 0x87b7d60
dns_adb_destroyfind on find 0xb42157e8
dns_adb_destroyfind on find 0x8733570
fctx 0xb420a110(uib.no/A'): sendevents
fetch 0xb4215928 (fctx 0xb420a110(uib.no/A)): destroyfetch
fctx 0xb420a110(uib.no/A'): shutdown
fctx 0xb420a110(uib.no/A'): doshutdown
fctx 0xb420a110(uib.no/A'): stopeverything
fctx 0xb420a110(uib.no/A'): cancelqueries
client 213.161.248.67#42873: view external: error    <----------------------------
fctx 0xb420a110(uib.no/A'): destroy
client 213.161.248.67#42873: view external: send
client 213.161.248.67#42873: view external: sendto
client 213.161.248.67#42873: view external: senddone
client 213.161.248.67#42873: view external: next
client 213.161.248.67#42873: view external: endrequest

It's clear that recursion is available. I guess the "view external:
error" might mean something, but I'm lost. If you need more info, want
me to test against our DNS server and so on - jusr let mer know.

I have tried Googling (the web and this group/mailing list), but found
it very hard to narrow the search down to something useful.

Regards,
Hans Nordhaug

More information about the bind-users mailing list