[dns-operations] query source port 53,
Joe Greco
jgreco at ns.sol.net
Tue Jun 12 23:27:56 UTC 2012
> In message <alpine.LSU.2.00.1206121230490.2122 at hermes-2.csi.cam.ac.uk>, Tony Fi
> nch writes:
> > Mark Andrews <marka at isc.org> wrote:
> > >
> > > Perhaps because it is a legitimate, though unwise, client source port
> > > that is in lots of old configurations.
> > >
> > > listen-on { <internal address>; };
> > > query-source * port 53;
> >
> > I did this back in the 1990s because it worked around occasional interop
> > problems, I think caused by over-enthusiastic firewall configurations that
> > thought all DNS (queries and responses) should be on port 53. Several
> > years ago I found that things had changed and the popular over-
> > enthusiastic firewall configuration requires DNS query source ports to be
> > greater than 1023.
>
> Both firewall configuration are broken. You don't look at source
> ports if you are offering a service.
Sure you can. And sometimes do. That's what the whole privileged port
thing is about, right? Sometimes it is desirable to constrain the
possibilities for various reasons.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations
mailing list