In the quest for securing the name servers in a company I try to help,
I have gotten into to trouble. The company is running CentOS 5.0 and I
have updated their Bind to 9.3.4_P1. In addition, I planned to remove
the "query-source port 53;" from /etc/named.conf so the servers aren't
vulnerable to cache poisoning.

The problem is that recursive queries fails if I remove
"query-source port 53;". I have check iptables on the servers and the
rules on the Cisco ASA and there isn't anything limiting the traffic
to port 53 - which I think the dumps below (from tcpdump) confirms.

(I have tested with a lookup on for the A record for

Output from tcpdump when query-source = 53:

16:02:22.263932 IP > 50269 [1au] A? (39)
16:02:22.263988 IP > 46377 [1au] NS? . (28)
16:02:22.279513 IP > 50269- 0/6/7 (246)
16:02:22.280013 IP > 46377*- 13/0/20 NS G.ROOT-SERVERS.NET.,[|domain]
16:02:22.281367 IP > 49597 [1au] A? (39)
16:02:22.297003 IP > 49597- 0/4/5 (189)
16:02:22.297889 IP > 62217 [1au] A? (39)
16:02:22.320987 IP > 62217*- 2/5/5 CNAME, (247)
16:02:22.322167 IP > 23507 [1au] A? (42)
16:02:22.343475 IP > 23507*- 1/5/5 A (229)

Output from tcpdump when query-source != 53:

16:00:54.387047 IP > 13547 [1au] A? (39)
16:00:54.402614 IP > 13547- 0/6/7 (246)
16:00:54.403877 IP > 13667 [1au] A? (39)
16:00:54.524293 IP > 13667- 0/4/5 (189)

(What's going on?)

I have also turned on debugging in Bind for a failed query. From

client UDP request
client view external: using view 'external'
client view external: request is not signed
client view external: recursion available
client view external: query
client view external: query (cache) '' approved
client view external: replace
clientmgr @0x8655330: createclients
clientmgr @0x8655330: recycle
client @0x87b1a18: udprecv
createfetch: A
fctx 0xb420a110('): create
fctx 0xb420a110('): join
fetch 0xb4215928 (fctx 0xb420a110( created
fctx 0xb420a110('): start
fctx 0xb420a110('): try
fctx 0xb420a110('): cancelqueries
fctx 0xb420a110('): getaddresses
fctx 0xb420a110('): query
fctx 0xb420a110('): done
fctx 0xb420a110('): stopeverything
fctx 0xb420a110('): cancelqueries
dns_adb_destroyfind on find 0xb42146e8
dns_adb_destroyfind on find 0xb4213e98
dns_adb_destroyfind on find 0x86a94a0
dns_adb_destroyfind on find 0xb4210dc8
dns_adb_destroyfind on find 0xb4201038
dns_adb_destroyfind on find 0xb4203c78
dns_adb_destroyfind on find 0xb4215310
dns_adb_destroyfind on find 0x86a8b10
dns_adb_destroyfind on find 0xb420de68
dns_adb_destroyfind on find 0x872d7e0
dns_adb_destroyfind on find 0x87b7d60
dns_adb_destroyfind on find 0xb42157e8
dns_adb_destroyfind on find 0x8733570
fctx 0xb420a110('): sendevents
fetch 0xb4215928 (fctx 0xb420a110( destroyfetch
fctx 0xb420a110('): shutdown
fctx 0xb420a110('): doshutdown
fctx 0xb420a110('): stopeverything
fctx 0xb420a110('): cancelqueries
client view external: error <----------------------------
fctx 0xb420a110('): destroy
client view external: send
client view external: sendto
client view external: senddone
client view external: next
client view external: endrequest

It's clear that recursion is available. I guess the "view external:
error" might mean something, but I'm lost. If you need more info, want
me to test against our DNS server and so on - jusr let mer know.

I have tried Googling (the web and this group/mailing list), but found
it very hard to narrow the search down to something useful.

Hans Nordhaug