[dns-operations] query source port 53,
Mark Andrews
marka at isc.org
Wed Jun 13 00:22:13 UTC 2012
In message <201206122327.q5CNRu5S077950 at aurora.sol.net>, Joe Greco writes:
> > In message <alpine.LSU.2.00.1206121230490.2122 at hermes-2.csi.cam.ac.uk>, Ton
> y Fi
> > nch writes:
> > > Mark Andrews <marka at isc.org> wrote:
> > > >
> > > > Perhaps because it is a legitimate, though unwise, client source port
> > > > that is in lots of old configurations.
> > > >
> > > > listen-on { <internal address>; };
> > > > query-source * port 53;
> > >
> > > I did this back in the 1990s because it worked around occasional interop
> > > problems, I think caused by over-enthusiastic firewall configurations tha
> t
> > > thought all DNS (queries and responses) should be on port 53. Several
> > > years ago I found that things had changed and the popular over-
> > > enthusiastic firewall configuration requires DNS query source ports to be
> > > greater than 1023.
> >
> > Both firewall configuration are broken. You don't look at source
> > ports if you are offering a service.
>
> Sure you can. And sometimes do. That's what the whole privileged port
> thing is about, right? Sometimes it is desirable to constrain the
> possibilities for various reasons.
Even then you don't examine it in the firewall as those service
still accept connections from non-reserved ports. You just get
extra functionality if you come from a known machine using a source
port less than 1024.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list