Okay, I just discovered that named my Bind server is using port 4232, I can't tell exactly why or when and it isn't really set to listen, but does anybody have any ideas why it would use that port. I was under the impression that DNS works off of 53 UDP and TCP. Also does anybody no how I would correct this issue, and remove BIND from port 4232? I do know that when I block port 4232, I basically can't ping or ftp out from my server. I have searched and searched for an explenation of why that port was used, and I have found literally nothing, this port range is even reserved for some kind of VRML setup according to all the lists I have scanned, so this doesn't make any sense to me at all.

TIA
Mike.

I also have not found any mention of port 4232 and DNS/BIND. I did find some references to SNMP and maybe CGI on those ports, but those vague at best.

How do you know BIND is the service using the port? What are you using to determine that?

If you don't get any additional info or help.. I would suggest writing to the developers of BIND at http://www.isc.org/ or posting something to comp.protocols.dns.bind

Good luck.

When I do a netstat -alnp it lists all net information including servers, and it also show what programs are bound to that port with the -p option. and it shows that named is bound to it. I also found a line in my messages log to this affect:

Nov 12 11:11:11 hostname named[398]: Forwarding source address is [0.0.0.0].4231

I also noticed that when Bind is restarted a new number is used, and it seems to be a randomn number. Which brings up a new question, does anybody know what range of numbers Bind uses for that? The port doesn't appear to be listening, but when I block it, my DNS becomes non funcitonal. Any ideas what a Forwarding Source address is? Thanks for your help!

Mike.

what user is BIND installed/running as? I heard something about priveleged ports only binding for root, or users with.. priveleged access? Maybe that has something to do with it not BINDing to 53.

the wierd thing is it is also using Port 53. And the 4000 level port it uses is strictly for UDP, not TCP, so I have Port 53 open for my Loopback and my IP on TCP, and I have a randomn port open along with 53 open on my loopback and IP but only in UDP. The daemon is running as user named, which I have heard to be very common, and it is also the default install for RH I believe. I believe that this isn't an attack or anything to be concerned about, but I am looking for some insite into it so I can develop my firewall around it. Thanks again for the responses.

anybody else?

I asked our resident DNS guru, and here is the explanation I got.

TCP IP sessions work as follow: A daemon listens on a particular port (named=53). This is what incoming connections will link to. It must remain open to listen for many connections that are coming in constantly. When the outgoing connection is made back to the client, you will see the service bind to an available unpriveleged port (>1024) for an outgoing connection. This outgoing connection will connect to the client on the same port it connected from initially, (named = 53.)
Per this logic, what you are seeing is a reply connection on the higher port back to a client. It is not a straight and consistent pipe between the two hosts on port 53 solely.
This should not impact your firewall setup. Today's firewalls are stateful, meaning that they can distinguish a connection that has already been established on an open port, but that will connect out on an unpriveleged port (based on the flags and headers, how they are set). Regardless whether your firewall configuration is set to open those higher ports specifically, if it is stateful, you will be ok. Besides, where they are random ports chosen most of the time, (mine has a connection on 3008) how would you really manage the config of the firewall at that point? leave open an entire range of services?

If anyone can see where i'm mistaken on this, please let me know, but it sounds about right.