Attachment #90176 for bug #127290

View | Details | Raw Unified | Return to bug 127290
Collapse All | Expand All





      <qandaentry>
	<question id="extra-named-port">
	  <para>BIND (<command>named</command>) is listening on
	    some high-numbered ports.  What is going on?</para>
	</question>

	<answer>
	  <para>BIND uses a random high-numbered port for outgoing
	    queries.  Recent versions of it choose a new, random UDP
	    port for each query.  This may cause problems for some
	    network configurations, especially if a firewall blocks
	    incoming UDP packets on particular ports.  If you want to
	    get past that firewall, you can try the
	    <literal>avoid-v4-udp-ports</literal> and
	    <literal>avoid-v6-udp-ports</literal> options to avoid
	    selecting random port numbers within a blocked range.</para>

	  <warning>
	    <para>If a port number (like 53) is specified via the
	      <literal>query-source</literal> or
	      <literal>query-source-v6</literal> options in
	      <filename>/etc/namedb/named.conf</filename>, randomized
	      port selection will not be used.  It is strongly
	      recommended that these options not be used to specify
	      fixed port numbers.</para>
	  </warning>

	  <para>Congratulations, by the way.  It is good practice to
	    read your &man.sockstat.1; output and notice odd

Return to bug 127290

Lines 8479-8501 Link Here

(-)book.sgml (-12 / +19 lines)
8479		8479
8480	<qandaentry>	8480	<qandaentry>
8481	<question id="extra-named-port">	8481	<question id="extra-named-port">
8482	<para>BIND (<command>named</command>) is listening on port 53	8482	<para>BIND (<command>named</command>) is listening on
8483	and some other high-numbered port. What is going on?</para>	8483	some high-numbered ports. What is going on?</para>
8484	</question>	8484	</question>
8485		8485
8486	<answer>	8486	<answer>
8487	<para>BIND uses a random high-numbered port for outgoing	8487	<para>BIND uses a random high-numbered port for outgoing
8488	queries. If you want to use port 53 for outgoing queries,	8488	queries. Recent versions of it choose a new, random UDP
8489	either to get past a firewall or to make yourself feel	8489	port for each query. This may cause problems for some
8490	better, you can try the following in	8490	network configurations, especially if a firewall blocks
8491	<filename>/etc/namedb/named.conf</filename>:</para>	8491	incoming UDP packets on particular ports. If you want to
8492		8492	get past that firewall, you can try the
8493	<programlisting>options {	8493	<literal>avoid-v4-udp-ports</literal> and
8494	query-source address * port 53;	8494	<literal>avoid-v6-udp-ports</literal> options to avoid
8495	};</programlisting>	8495	selecting random port numbers within a blocked range.</para>
8496		8496
8497	<para>You can replace the <literal>*</literal> with a single	8497	<warning>
8498	IP address if you want to tighten things further.</para>	8498	<para>If a port number (like 53) is specified via the
		8499	<literal>query-source</literal> or
		8500	<literal>query-source-v6</literal> options in
		8501	<filename>/etc/namedb/named.conf</filename>, randomized
		8502	port selection will not be used. It is strongly
		8503	recommended that these options not be used to specify
		8504	fixed port numbers.</para>
		8505	</warning>
8499		8506
8500	<para>Congratulations, by the way. It is good practice to	8507	<para>Congratulations, by the way. It is good practice to
8501	read your &man.sockstat.1; output and notice odd	8508	read your &man.sockstat.1; output and notice odd