# ICMP: Port unreachable from 10.0.0.2:53 to 10.0.0.1:54321

- **ID:** `networking/udp-port-unreachable`
- **Domain:** networking
- **Category:** protocol_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

A UDP packet was sent to a closed port on the destination host (10.0.0.2:53), and the destination responded with an ICMP Port Unreachable message, indicating no application is listening on that port.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Linux kernel 5.10-6.8 | active | — | — |
| Windows Server 2022/2025 | active | — | — |
| FreeBSD 13-14 | active | — | — |
| DNS servers (BIND 9.18-9.20, Unbound 1.17-1.22) | active | — | — |
| syslog-ng 4.0-4.8 | active | — | — |

## Workarounds

1. **Verify the destination service is running and listening: `ss -ulpn | grep :53` on Linux; if not, start the service (e.g., `systemctl start named` for BIND).** (85% success)
   ```
   Verify the destination service is running and listening: `ss -ulpn | grep :53` on Linux; if not, start the service (e.g., `systemctl start named` for BIND).
   ```
2. **Check the source application configuration to ensure it sends to the correct port: e.g., in `/etc/resolv.conf` for DNS, ensure `nameserver` points to 10.0.0.2 and port is 53.** (80% success)
   ```
   Check the source application configuration to ensure it sends to the correct port: e.g., in `/etc/resolv.conf` for DNS, ensure `nameserver` points to 10.0.0.2 and port is 53.
   ```
3. **If the service is intentionally not running, update the source to use a different destination or port, or install the required service.** (90% success)
   ```
   If the service is intentionally not running, update the source to use a different destination or port, or install the required service.
   ```

## Dead Ends

- **Adding a firewall rule to drop ICMP Port Unreachable messages** — This hides the error but does not fix the underlying issue; the source application still fails to communicate and may timeout instead of getting a fast failure. (85% fail)
- **Restarting the destination service without verifying it's listening on the correct port** — The service may be misconfigured to listen on a different port or interface, so restarting does not resolve the mismatch. (70% fail)
- **Assuming the source is sending to the wrong IP address and changing routing** — The ICMP message confirms the IP is reachable; the issue is the port, not the address. (60% fail)