Hello to all
* I've got a problem with bind9
It is occasionaly sending it's queries using low numbered UDP port
despite "query-source address * port 53;" set in "named.conf".
Most of the time it's using UDP port 53, as configured, but
sometimes, irrelatively of anything (as it seems to me), it is sending
queries using UDP port 2, for example.
And more, there were some packets caught coming from provider's
nameservers to mentioned port 2, despite originating packets being
dropped by netfilter.
Without query-source set it showed no such behavior, AFAIR, but
there were problems with Squid on the same machine, and it's another point.
At first, it constantly used port 2, and after reboot whole process
(queries/"replies") has moved to port 1.
I've used tcpdump/ethereal to verify, that those packets were
DNS-queries in fact.
I've used netfilter's module "owner" to verify, that those packets
were really originating from named.
* My questions are
1. Is it normal behavior, and may be i've missed something in docs,
howto's or faq's ?
If it is:
2. For what purpose it's doing so, and is it safe to allow it to
proceed?
If it's not:
2. Why it is, and, at least, how can i repair/stop it?
Or
1. Is it a bug in netfilter, which causes improper UDP port
recognition, or packet corruption?
* Details on software
Debian GNU/Linux 3.0 (kernel 2.4.18-i686), masquearading (snat to
itself) router/firewall for company intranet, using
netfilter/iptables/ferm.
Major communication packages: bind9, exim, squid, frox(through xinetd).
Bind9 is configured to serve local intranet zones as a slave, and
"forward-only" other requests to provider's nameservers.
There are only local nameservers (including localhost) in resolv.conf.