Bind9 queries from strange UDP port
Hello to all
* I've got a problem with bind9
It is occasionaly sending it's queries using low numbered UDP port despite "query-source address * port 53;" set in "named.conf".
Most of the time it's using UDP port 53, as configured, but sometimes, irrelatively of anything (as it seems to me), it is sending queries using UDP port 2, for example.
And more, there were some packets caught coming from provider's nameservers to mentioned port 2, despite originating packets being dropped by netfilter.
Without query-source set it showed no such behavior, AFAIR, but there were problems with Squid on the same machine, and it's another point.
At first, it constantly used port 2, and after reboot whole process (queries/"replies") has moved to port 1.
I've used tcpdump/ethereal to verify, that those packets were DNS-queries in fact.
I've used netfilter's module "owner" to verify, that those packets were really originating from named.
* My questions are
1. Is it normal behavior, and may be i've missed something in docs, howto's or faq's ?
If it is:
2. For what purpose it's doing so, and is it safe to allow it to proceed?
If it's not:
2. Why it is, and, at least, how can i repair/stop it?
Or
1. Is it a bug in netfilter, which causes improper UDP port recognition, or packet corruption?
* Details on software
Debian GNU/Linux 3.0 (kernel 2.4.18-i686), masquearading (snat to itself) router/firewall for company intranet, using netfilter/iptables/ferm.
Major communication packages: bind9, exim, squid, frox(through xinetd).
Bind9 is configured to serve local intranet zones as a slave, and "forward-only" other requests to provider's nameservers.
There are only local nameservers (including localhost) in resolv.conf.
--
With best regards,
Nickolay Kondrashov,
System administrator
Avtomatika-Sever, Ltd.
+7(812) 1183238, 3039648
http://www.avt.com.ru/
mailto:knu@avtsev.spb.ru
Reply to: