Bug 33102 - Unknown UDP port is 'listening'
Summary: Unknown UDP port is 'listening'
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bind   
(Show other bugs)
Version: 6.2
Hardware: sparc
OS: Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2001-03-24 22:18 UTC by Hugo van der Kooij
Modified: 2007-04-18 16:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-03-26 14:54:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Hugo van der Kooij 2001-03-24 22:18:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-22 i686)

An random UDP high port is 'listening' each time named is rebooted. This
port can be found with a remote system using nmap. A typical nmap resonse
would be:
Port       State       Service
1820/udp   open        unknown 

This port is known to belong to named as I found with lsof:
# lsof|grep 1820
named     12393     root    4u  IPv4      41217                UDP *:1820 

Reproducible: Always
Steps to Reproduce:
1. install bind-8.2.3
2. configure bind with a reasonable tight config file
3. start bind with `/etc/rc.d/init.d/named start`

Actual Results:  A UDP port belongs to named but it is not stated in any
BIND documentation.

Expected Results:  Either the use of this port should be documented or this
UDP port shouldn't be used by named.

I tracked down all I could to make tripple sure I don't have a rootkit on
the nameserver.
None was found and the system operates within defined security paramters
except this UDP port. And it has me worried.

(Just because I'm paranoid doesn't mean those intelligence people wouldn't
like to snif in on my server. ;=)

Comment 1 Daniel Roesen 2001-03-26 14:53:28 UTC
Not A Bug. This is BIND's UDP query socket. It's dynamically assigned by the
kernel (INPORT_ANY). You can circumvent having it by using "query-source address
* port 53;" in your options {} block in named.conf. It is no additional security
risk whatsoever.

I leave it up to Bero to RESOLVED/NOTABUG because he is the one with the red
hat. :->

Note You need to log in before you can comment on or make changes to this bug.