On Oct 5, 2008, at 5:35 AM, Alan Zoysa wrote: > On Sun, Oct 5, 2008 at 7:44 PM, Barry Margolin <[EMAIL PROTECTED]> > wrote: >> In article <[EMAIL PROTECTED]>, >> "Alan Zoysa" <[EMAIL PROTECTED]> wrote: >> >>> BIND950P2:~# netstat -lnp|grep named >>> tcp 0 0 127.0.0.1:953 0.0.0.0:* >>> LISTEN 21423/named >>> tcp6 0 0 ::1:53 :::* >>> LISTEN 21423/named >>> tcp6 0 0 ::1:953 :::* >>> LISTEN 21423/named >>> udp 0 0 0.0.0.0:56789 0.0.0.0:* >>> 21423/named >>> udp6 0 0 :::36645 :::* >>> 21423/named >>> udp6 0 0 ::1:53 :::* >>> 21423/named >>> >>> BIND950P2:~# /etc/init.d/bind9 restart >>> Stopping domain name service...: bind9. >>> Starting domain name service...: bind9. >>> BIND950P2:~# netstat -lnp|grep named >>> tcp 0 0 127.0.0.1:953 0.0.0.0:* >>> LISTEN 21574/named >>> tcp6 0 0 ::1:53 :::* >>> LISTEN 21574/named >>> tcp6 0 0 ::1:953 :::* >>> LISTEN 21574/named >>> udp 0 0 0.0.0.0:36327 0.0.0.0:* >>> 21574/named >>> udp6 0 0 ::1:53 :::* >>> 21574/named >>> udp6 0 0 :::51161 :::* >>> 21574/named >> >> The high ports are used for sending recursive queries and receiving >> the >> replies. >> > > I see! Thank you Barry. > > To verify if it is indeed true, I did the following: > involves 2 machines. > A.B.C.D my recursive DNS server > A.B.C.E client to my DNS server. > > I ran following commands. > [A.B.C.D.] # netstat -lnp|grep named > ---- gives me the high port numbers used presently. > > [A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53 > ---- gives me all the DNS packets on my named interface. > > [A.B.C.E] # dig @A.B.C.D www.yahoo.com > ---- fires a recursive query > > Below is the detailed output: > ############# start of output ############## > [A.B.C.E] # dig @A.B.C.D www.yahoo.com > > ; <<>> DiG 9.5.0-P2 <<>> @A.B.C.D www.yahoo.com > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38680 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;www.yahoo.com. IN A > > ;; ANSWER SECTION: > www.yahoo.com. 21600 IN CNAME www.yahoo-ht3.akadns.net > . > www.yahoo-ht3.akadns.net. 60 IN A 87.248.113.14 > > ;; AUTHORITY SECTION: > akadns.net. 172734 IN NS use4.akadns.net. > akadns.net. 172734 IN NS use3.akadns.net. > akadns.net. 172734 IN NS za.akadns.org. > akadns.net. 172734 IN NS eur1.akadns.net. > akadns.net. 172734 IN NS zc.akadns.org. > akadns.net. 172734 IN NS zb.akadns.org. > akadns.net. 172734 IN NS zd.akadns.org. > akadns.net. 172734 IN NS asia9.akadns.net. > akadns.net. 172734 IN NS usw2.akadns.net. > > ;; Query time: 1141 msec > ;; SERVER: A.B.C.D#53(A.B.C.D) > ;; WHEN: Sun Oct 5 20:15:33 2008 > ;; MSG SIZE rcvd: 259 > > [A.B.C.E] # > > [A.B.C.D] # tcpdump -n udp src port 53 or udp dst port 53 > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 00:00:51.767597 IP A.B.C.E.35211 > A.B.C.D.53: 38680+ A? > www.yahoo.com. (31) > 00:00:51.769695 IP A.B.C.D.5506 > 192.42.93.30.53: 37176 [1au] A? > www.yahoo.com. (42) > 00:00:51.994330 IP 192.42.93.30.53 > A.B.C.D.5506: 37176- 0/5/6 (212) > 00:00:51.997030 IP A.B.C.D.29536 > 68.142.255.16.53: 44329 [1au] A? > www.yahoo.com. (42) > 00:00:52.254096 IP 68.142.255.16.53 > A.B.C.D.29536: 44329*- 1/13/1 > CNAME[|domain] > 00:00:52.257027 IP A.B.C.D.32120 > 195.219.3.169.53: 25787 [1au] A? > www.yahoo-ht3.akadns.net. (53) > 00:00:52.589003 IP 195.219.3.169.53 > A.B.C.D.32120: 25787 FormErr- > [0q] 0/0/0 (12) > 00:00:52.590344 IP A.B.C.D.62016 > 195.219.3.169.53: 1258 A? > www.yahoo-ht3.akadns.net. (42) > 00:00:52.921247 IP 195.219.3.169.53 > A.B.C.D.62016: 1258*- 1/0/0 A[| > domain] > 00:00:52.922853 IP A.B.C.D.53 > A.B.C.E.35211: 38680 2/9/0 CNAME[| > domain] > ^C > 10 packets captured > 10 packets received by filter > 0 packets dropped by kernel > [A.B.C.D] # > > > > [A.B.C.D] # netstat -lnp|grep named > tcp 0 0 A.B.C.D:53 0.0.0.0:* > LISTEN 3709/named > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN 3709/named > tcp 0 0 127.0.0.1:953 0.0.0.0:* > LISTEN 3709/named > tcp6 0 0 :::53 :::* > LISTEN 3709/named > tcp6 0 0 ::1:953 :::* > LISTEN 3709/named > udp 0 0 0.0.0.0:42663 0.0.0.0:* > 3709/named > udp 0 0 A.B.C.D:53 0.0.0.0:* > 3709/named > udp 0 0 127.0.0.1:53 0.0.0.0:* > 3709/named > udp6 0 0 :::53 :::* > 3709/named > udp6 0 0 :::35254 :::* > 3709/named > [A.B.C.D] # > > ############# end of output ############## > > The high port 42663 is not used for recursive query.
If I'm not mistaken, named gets a new source port ready for the next outgoing query. If you had run the netstat command prior to sending the query, I believe you would have seen port 5506 held open. Chris Buxton Professional Services Men & Mice
