Log in

No account? Create an account


some ports are more equal than others

« previous entry | next entry »
17th Apr 2008 | 13:08

This has to be the strangest (or stupidest) way that I have seen of treating ports < 1024 specially.

It seems that the nameservers for spacely.net drop any queries that use a source port < 1024. (They also serve domains such as ChristopherReeve.org, which is a brain research funding charity and the reason I found out about the problem.) It was a complete bugger to diagnose, because dig of course uses a high source port, so it was able to resolve names without a problem. My nameservers (and chiark's) use the traditional source port 53, so they were in trouble. By default bind now uses high source ports so most sites would not trip over the stupidity.

I guess it's time to remove that bit of ancient paranoia from my usual named.conf options section.

; <<>> DiG 9.3.4 <<>> -b mx ChristopherReeve.org @ns.spacely.net
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.3.4 <<>> -b mx ChristopherReeve.org @ns.spacely.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5873
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;ChristopherReeve.org.          IN      MX

ChristopherReeve.org.   14400   IN      MX      10 mail.ChristopherReeve.org.
ChristopherReeve.org.   14400   IN      MX      5 mail1.ChristopherReeve.org.

mail.ChristopherReeve.org. 14400 IN     A
mail1.ChristopherReeve.org. 14400 IN    A

;; Query time: 185 msec
;; WHEN: Thu Apr 17 12:53:08 2008
;; MSG SIZE  rcvd: 113

| Leave a comment |

Comments {4}

Gerald the cuddly duck

from: gerald_duck
date: 17th Apr 2008 13:11 (UTC)

That's absurd. I suspect the only reason it doesn't contravene RFCs is that the RFC authors never dreamed anyone would be stupid enough to do that.

Me, I'd complain rather than pandering to their wrongheadedness.

Reply | Thread

Tony Finch

from: fanf
date: 17th Apr 2008 13:27 (UTC)

Too bloody difficult to complain.

The reason I fix the port in my named.conf is pandering to other people's wrongheadedness 10ish years ago, so it makes sense to remove the line and just go with the defaults like most people do. I'd also get the benefit of better anti-spoofing when we upgrade to bind-9.5.

Reply | Parent | Thread


from: pozorvlak
date: 17th Apr 2008 15:10 (UTC)

I'm sorry, I have no clue what that dig output means! Can you explain further?

Reply | Thread

Tony Finch

from: fanf
date: 17th Apr 2008 15:17 (UTC)

The <<>> line includes dig's version and command line options. The -b means send queries with a source IP address of and a source port of 1023. The @ns.spacely.net is the target nameserver. This leads to "connection timed out; no servers could be reached" because of spacely's firewall. If I specify a source port of 1024 (the second <<>> line) dig says "Got answer:" and prints a dump of the response packet.

Reply | Parent | Thread