Subject: Re: No replys to Bind 8.3.4
To: None <tech-net@netbsd.org>
From: Jean-Luc Wasmer <jl.netbsd@wasmer.ca>
List: tech-net
Date: 07/01/2003 21:39:06
> > Anyway, it's available here:
> >
> > http://www.geocities.com/Paris/Metro/1624/tcpdump.txt
>
> Are you sure your IP connectivity is OK when this happens ?
I can ping some hosts outside my ISP network.

> The only aserws comming in seems to be from mag2.magmacom.com, which
> is routed from the same ISP as you (magma.ca) from what I can see.
This is the second name server in /etc/resolv.conf:
nameserver 127.0.0.1
nameserver 206.191.0.140
nameserver 206.191.0.210
Certainly some process on my server trying to use localhost and switching to
206.191.0.140 after a timeout.

> Another thing I would check is the error rate on the interface, with
> netstat -i
netstat doesn't return when this happens. It don't know if the flag -i will
produce a different behavior.
I will try next time.

> Hum, and just to be sure, is your server behind a firewall ?
Yes. And my other server with that problem is behind a firewall from the
same manufacturer.
I was suspicious about this firewall, but I couldn't figure out how it could
be responsible for this.

> Note that all requests that don't get anserwed come from port 65534.
> The ones to mag2.magmacom.com.domain come from port 57301
> After restart it starts using port 57248 and works again.
That makes sense :-)
But what makes named use one port for every outbound query... and then
change for a new one?


> Wasn't 65534 the port used by a trojan ? Maybe it's filtered somewhere ?
I will contact tech support to check my firewall about the port 65534.

> Maybe try to force the port used for query to a fixed, high-number port
> (it's the query-source option, if I remember properly)
It's the query-source option indeed.
Now Bind only uses port but I get the replies!

JL