[dns-operations] query source port 53, was Re: Why would an MTA issue an ANY query instead of an MX query?

Mark Andrews marka at isc.org
Tue Jun 12 23:56:03 UTC 2012


In message <alpine.LSU.2.00.1206121230490.2122 at hermes-2.csi.cam.ac.uk>, Tony Fi
nch writes:
> Mark Andrews <marka at isc.org> wrote:
> >
> > Perhaps because it is a legitimate, though unwise, client source port
> > that is in lots of old configurations.
> >
> > 	listen-on { <internal address>; };
> > 	query-source * port 53;
> 
> I did this back in the 1990s because it worked around occasional interop
> problems, I think caused by over-enthusiastic firewall configurations that
> thought all DNS (queries and responses) should be on port 53. Several
> years ago I found that things had changed and the popular over-
> enthusiastic firewall configuration requires DNS query source ports to be
> greater than 1023.

Both firewall configuration are broken.  You don't look at source
ports if you are offering a service.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list