Has anyone seen this error before?

I am getting several different errors in my daily logging that I would like to solve.   These are coming from my cache DNS servers:


dispatch: warning: dispatch 0x7fbcc820ef80: open_socket(0.0.0.0#1935) -> permission denied: continuing: 25 Time(s)

rate-limit: info: continue limiting responses to 162.17.148.0/24: 10 Time(s)

rate-limit: info: stop limiting error responses to 184.175.185.0/24: 10 Time(s)

These are some examples.

Thanks,
marchopkinsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StampelCommented:
No real problem, bind will continue with another port.
You can try to fix it by fixing port range in your /etc/named.conf as follows :

use-v4-udp-ports {range 32768 65535;};
0
marchopkinsAuthor Commented:
does this address the dispatch warning or the rate-limit issue?

Thanks
0
marchopkinsAuthor Commented:
Also, why those particular ports??

Thanks again.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

marchopkinsAuthor Commented:
I'm assuming that it would be inserted in this section of named.conf  or would it need to omit an entry in favor of this one?

options {
        listen-on port 53 { any; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; "g4internal"; "g4external"; };
        #allow-query { any; };
        recursion yes;

        #Test Response Rate Limiting
        rate-limit {
                responses-per-second 5;
                window 5;
        };

        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        blackhole {
        #put in any networks that don't belong
                "iana-reserved";
        };
};
0
StampelCommented:
Yes it does address this particular issue by fixing port range above most common used ports.
It just specify the use of Ephemeral port. See http://en.wikipedia.org/wiki/Ephemeral_port
"Many Linux kernels use the port range 32768 to 61000"
0
StampelCommented:
Just Inside  your options { } section

options {
...
use-v4-udp-ports {range 32768 65535;};
...

}
0
marchopkinsAuthor Commented:
Thanks I'll give it a try and report back tomorrow after the log output
0
gheistCommented:
dispatch error is harmless
other error means that other IP requested same record over your rate limit. Your rate limit is little paranoid. 5 requests in 5 seconds can be simple retries. 10 requests in 10 seconds is likely to eliminate most of log entries.
First is unavoidable, so dont log it. Second - maybe helps diagnostics, so leave it

http://www.zytrax.com/books/dns/ch7/logging.html

Why do you load DNSSEC keys and then kill off DNSSEC validation? It is like 15 years old and works fine for 20% of internet.
0
marchopkinsAuthor Commented:
Thanks gheist.  I see where that might help, yes.  Here is the change.  

 #Test Response Rate Limiting
        rate-limit {
                responses-per-second 10;
                window 10;
        };
I will follow the link to understand how to eliminate that log for dispatch.    I don't understand your comment "Why do you load DNSSEC keys and then kill off DNSSEC validation? It is like 15 years old and works fine for 20% of internet. "   I did not set that piece up and have no idea what it does.  

Stampel:  The same logs showed up today even after I edited port range in /etc/named.conf
0
StampelCommented:
Did you restart the bind daemon ?
Can you replace the config line with :
query-source port 53;

(you can keep listen-on port 53 { any; };)
0
marchopkinsAuthor Commented:
Yes, i have done that.
0
gheistCommented:
Default port range is 1024-65535, reducing it will not help at all.
And it even clashes with itself. As I said that log record is harmless and you can just stop logging it.

btw i dont see bind logging configuration in your named.conf
add there in log section category dispatch {null;};

Log rate limiting is also safe to ignore.
Why dont you use suggested default values with it?
https://kb.isc.org/article/AA-00994/0

Just enable DNSSEC, named CPU usage will rise from 0.1% to 0.2%
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marchopkinsAuthor Commented:
I will give that a try and post the results in a bit...thank you.
0
marchopkinsAuthor Commented:
All set with all of these suggestions
0
marchopkinsAuthor Commented:
Thanks for the suggestions.
0
gheistCommented:
named-checkconf -z ;)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.