LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 11-13-2001, 11:02 AM   #1
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Rep: Reputation: 15
Named and Port 4232


Okay, I just discovered that named my Bind server is using port 4232, I can't tell exactly why or when and it isn't really set to listen, but does anybody have any ideas why it would use that port. I was under the impression that DNS works off of 53 UDP and TCP. Also does anybody no how I would correct this issue, and remove BIND from port 4232? I do know that when I block port 4232, I basically can't ping or ftp out from my server. I have searched and searched for an explenation of why that port was used, and I have found literally nothing, this port range is even reserved for some kind of VRML setup according to all the lists I have scanned, so this doesn't make any sense to me at all.

TIA
Mike.
 
Old 11-13-2001, 01:47 PM   #2
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
I also have not found any mention of port 4232 and DNS/BIND. I did find some references to SNMP and maybe CGI on those ports, but those vague at best.

How do you know BIND is the service using the port? What are you using to determine that?

If you don't get any additional info or help.. I would suggest writing to the developers of BIND at http://www.isc.org/ or posting something to comp.protocols.dns.bind

Good luck.
 
Old 11-14-2001, 11:39 AM   #3
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
When I do a netstat -alnp it lists all net information including servers, and it also show what programs are bound to that port with the -p option. and it shows that named is bound to it. I also found a line in my messages log to this affect:

Nov 12 11:11:11 hostname named[398]: Forwarding source address is [0.0.0.0].4231

I also noticed that when Bind is restarted a new number is used, and it seems to be a randomn number. Which brings up a new question, does anybody know what range of numbers Bind uses for that? The port doesn't appear to be listening, but when I block it, my DNS becomes non funcitonal. Any ideas what a Forwarding Source address is? Thanks for your help!

Mike.
 
Old 11-14-2001, 02:37 PM   #4
sancho5
Member
 
Registered: Jul 2001
Location: Utah
Distribution: RedHat v7.3, OpenBSD 3.3, FreeBSD 5.0
Posts: 327

Rep: Reputation: 30
what user is BIND installed/running as? I heard something about priveleged ports only binding for root, or users with.. priveleged access? Maybe that has something to do with it not BINDing to 53.
 
Old 11-14-2001, 03:28 PM   #5
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
the wierd thing is it is also using Port 53. And the 4000 level port it uses is strictly for UDP, not TCP, so I have Port 53 open for my Loopback and my IP on TCP, and I have a randomn port open along with 53 open on my loopback and IP but only in UDP. The daemon is running as user named, which I have heard to be very common, and it is also the default install for RH I believe. I believe that this isn't an attack or anything to be concerned about, but I am looking for some insite into it so I can develop my firewall around it. Thanks again for the responses.
 
Old 11-16-2001, 09:26 AM   #6
mikeyt_3333
Member
 
Registered: Aug 2001
Distribution: Red Hat
Posts: 61

Original Poster
Rep: Reputation: 15
anybody else?
 
Old 11-16-2001, 10:02 AM   #7
sancho5
Member
 
Registered: Jul 2001
Location: Utah
Distribution: RedHat v7.3, OpenBSD 3.3, FreeBSD 5.0
Posts: 327

Rep: Reputation: 30
I asked our resident DNS guru, and here is the explanation I got.

TCP IP sessions work as follow: A daemon listens on a particular port (named=53). This is what incoming connections will link to. It must remain open to listen for many connections that are coming in constantly. When the outgoing connection is made back to the client, you will see the service bind to an available unpriveleged port (>1024) for an outgoing connection. This outgoing connection will connect to the client on the same port it connected from initially, (named = 53.)
Per this logic, what you are seeing is a reply connection on the higher port back to a client. It is not a straight and consistent pipe between the two hosts on port 53 solely.
This should not impact your firewall setup. Today's firewalls are stateful, meaning that they can distinguish a connection that has already been established on an open port, but that will connect out on an unpriveleged port (based on the flags and headers, how they are set). Regardless whether your firewall configuration is set to open those higher ports specifically, if it is stateful, you will be ok. Besides, where they are random ports chosen most of the time, (mine has a connection on 3008) how would you really manage the config of the firewall at that point? leave open an entire range of services?

If anyone can see where i'm mistaken on this, please let me know, but it sounds about right.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sound ISA card Crystal CS 4232 Ghitza Linux - Hardware 4 04-27-2005 03:21 AM
named -u named at startup zzero Linux - Newbie 4 03-16-2004 12:08 AM
cannot find named.conf and /var/named kaushikma Red Hat 1 02-07-2004 12:49 PM
Crystal 4232 sound card in mandrake 9.1 wiredX Linux - General 1 10-22-2003 01:16 PM
Virtual Host type, named or IP via SSL? Named VH is not possible? piratebiter Linux - Security 3 08-20-2003 05:27 PM


All times are GMT -5. The time now is 03:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration