Bug 33102 - Unknown UDP port is 'listening'
Unknown UDP port is 'listening'
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: bind (Show other bugs)
6.2
sparc Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-03-24 17:18 EST by Hugo van der Kooij
Modified: 2007-04-18 12:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-03-26 09:54:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hugo van der Kooij 2001-03-24 17:18:41 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-22 i686)


An random UDP high port is 'listening' each time named is rebooted. This
port can be found with a remote system using nmap. A typical nmap resonse
would be:
Port       State       Service
1820/udp   open        unknown 

This port is known to belong to named as I found with lsof:
# lsof|grep 1820
named     12393     root    4u  IPv4      41217                UDP *:1820 

Reproducible: Always
Steps to Reproduce:
1. install bind-8.2.3
2. configure bind with a reasonable tight config file
3. start bind with `/etc/rc.d/init.d/named start`
	

Actual Results:  A UDP port belongs to named but it is not stated in any
BIND documentation.

Expected Results:  Either the use of this port should be documented or this
UDP port shouldn't be used by named.

I tracked down all I could to make tripple sure I don't have a rootkit on
the nameserver.
None was found and the system operates within defined security paramters
except this UDP port. And it has me worried.

(Just because I'm paranoid doesn't mean those intelligence people wouldn't
like to snif in on my server. ;=)
Comment 1 Daniel Roesen 2001-03-26 09:53:28 EST
Not A Bug. This is BIND's UDP query socket. It's dynamically assigned by the
kernel (INPORT_ANY). You can circumvent having it by using "query-source address
* port 53;" in your options {} block in named.conf. It is no additional security
risk whatsoever.

I leave it up to Bero to RESOLVED/NOTABUG because he is the one with the red
hat. :->

Note You need to log in before you can comment on or make changes to this bug.