Name Resolution issue with one domain

Anand Buddhdev anandb at
Wed Mar 21 22:41:48 UTC 2012

On 21/03/2012 09:41, Matus UHLAR - fantomas wrote:

> maybe the admin set that up to force local servers using random ports,
> instead of 53, for outgoing requests. Nobody should use port 53 for
> _ougtoing_ requests.

You're wrong. A name server can use any source port from 1 up to 65535
for an outgoing query, as long as that port is not in use by any other
process on the system.

In fact, up until Kaminsky's revelation, many BIND servers used a fixed
source port of 53.

>> bsdi# dig -b
>> 09:13:17.909493 >  18071+$ [1au] A?
>> ar: OPT UDPsize=4096 (49)
>> 09:13:22.918018 >  18071+$ [1au] A?
>> ar: OPT UDPsize=4096 (49)
>> 09:13:27.928099 >  18071+$ [1au] A?
>> ar: OPT UDPsize=4096 (49)
>> ; <<>> DiG 9.9.0rc2 <<>> -b
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>> bsdi#

There appear to be firewalls in front of the name servers of which drop all queries with a source port less than
1024. I just tried several queries with low-numbered source ports, and
they all failed until I got to 1024. Then they began replying to all my

Babu Dheen, if you're reading this, take note. The problem has been
identified. Find a contact at, and tell him to fix his

More information about the bind-users mailing list