Bind9 Random Whois and Dig Fails

Stephane Bortzmeyer bortzmeyer at
Tue Jun 7 14:57:58 UTC 2011

On Fri, Jun 03, 2011 at 03:09:13PM -0700,
 Sri Harsha Yalamanchili <harsha at> wrote 
 a message of 145 lines which said:

>          o query-source address X.X.X.X port 53;

That's typically a very bad idea because it makes the source port
predictable and therefore makes you much more vulnerable to the
Kaminsky vulnerability.

>                 forwarders {
>           ; //Telepacific's DNS server
>                 };

Did you try this forwarder with, for instance, dig? Does it really

>    * The whois lookup works as long as we're telepacific's dns
>      server.

I don't really understand the sentence but, anyway, remember that
whois and DNS are two different and unrelated protocols. I suggest to
debug them separately.

> We can clearly see that the queries are going out from the query
> log.

BIND logs the outgoing queries? I didn't know. Anyway, I suggest using
tcpdump to see what is really going in and out.

More information about the bind-users mailing list