Subject: Re: No replys to Bind 8.3.4
To: None <firstname.lastname@example.org>
From: Jean-Luc Wasmer <email@example.com>
Date: 07/01/2003 21:39:06
> > Anyway, it's available here:
> > http://www.geocities.com/Paris/Metro/1624/tcpdump.txt
> Are you sure your IP connectivity is OK when this happens ?
I can ping some hosts outside my ISP network.
> The only aserws comming in seems to be from mag2.magmacom.com, which
> is routed from the same ISP as you (magma.ca) from what I can see.
This is the second name server in /etc/resolv.conf:
Certainly some process on my server trying to use localhost and switching to
188.8.131.52 after a timeout.
> Another thing I would check is the error rate on the interface, with
> netstat -i
netstat doesn't return when this happens. It don't know if the flag -i will
produce a different behavior.
I will try next time.
> Hum, and just to be sure, is your server behind a firewall ?
Yes. And my other server with that problem is behind a firewall from the
I was suspicious about this firewall, but I couldn't figure out how it could
be responsible for this.
> Note that all requests that don't get anserwed come from port 65534.
> The ones to mag2.magmacom.com.domain come from port 57301
> After restart it starts using port 57248 and works again.
That makes sense :-)
But what makes named use one port for every outbound query... and then
change for a new one?
> Wasn't 65534 the port used by a trojan ? Maybe it's filtered somewhere ?
I will contact tech support to check my firewall about the port 65534.
> Maybe try to force the port used for query to a fixed, high-number port
> (it's the query-source option, if I remember properly)
It's the query-source option indeed.
Now Bind only uses port but I get the replies!