0

The older cache DNS server in my team is configured with BIND 9.11.4; it uses 53 as the source port number.

options {
...
        query-source port 53;
...
}

Meanwhile, the new one has BIND 9.16.23 installed; for designating the port number in query-source is deprecated, I just set this option as below.

query-source address *;

The rest of the /etc/named.conf file is good to go. When I called nslookup {a domain which is not defined in /etc/named.conf} {the private ip of the cache dns server}, The new one shows the below in TCPDUMP:

18:33:50.968991 IP {the public ip}.50181 > 192.5.5.241.53: 29151% [1au] A? _.com. (46)
18:33:50.969044 IP {the public ip}.14081 > 192.5.5.241.53: 31087 [1au] NS? . (40)
18:33:51.768842 IP {the public ip}.32109 > 192.33.4.12.53: 4413% [1au] A? _.com. (46)
18:33:51.768918 IP {the public ip}.21620 > 192.33.4.12.53: 2272 [1au] NS? . (40)
18:33:52.568677 IP {the public ip}.59713 > 199.7.83.42.53: 29280% [1au] A? _.com. (46)
18:33:52.568677 IP {the public ip}.49493 > 199.7.83.42.53: 14473 [1au] NS? . (40)

Is there any method to fix the outgoing source port number? Or do I just have to find any other way?

Improve this question

1 Answer 1

Reset to default
1

Using a single fixed source port number is generally considered unacceptably bad for DNS. The expectation of DNS implementations is actually to go out of their way to randomize the source port from as wide a range as possible to mitigate cache poisoning risks.

If something in your environment relies on the use of a single source port, that is really where your fixing efforts should be directed. The old configuration you had was the strange one, and the behavior with your new config is what aligns with what is seen as both expected and desirable.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .