[dns-operations] query source port 53,
Joe Greco
jgreco at ns.sol.net
Wed Jun 13 00:45:50 UTC 2012
>
>
> In message <201206122327.q5CNRu5S077950 at aurora.sol.net>, Joe Greco writes:
> > > In message <alpine.LSU.2.00.1206121230490.2122 at hermes-2.csi.cam.ac.uk>, Ton
> > y Fi
> > > nch writes:
> > > > Mark Andrews <marka at isc.org> wrote:
> > > > >
> > > > > Perhaps because it is a legitimate, though unwise, client source port
> > > > > that is in lots of old configurations.
> > > > >
> > > > > listen-on { <internal address>; };
> > > > > query-source * port 53;
> > > >
> > > > I did this back in the 1990s because it worked around occasional interop
> > > > problems, I think caused by over-enthusiastic firewall configurations tha
> > t
> > > > thought all DNS (queries and responses) should be on port 53. Several
> > > > years ago I found that things had changed and the popular over-
> > > > enthusiastic firewall configuration requires DNS query source ports to be
> > > > greater than 1023.
> > >
> > > Both firewall configuration are broken. You don't look at source
> > > ports if you are offering a service.
> >
> > Sure you can. And sometimes do. That's what the whole privileged port
> > thing is about, right? Sometimes it is desirable to constrain the
> > possibilities for various reasons.
>
> Even then you don't examine it in the firewall as those service
> still accept connections from non-reserved ports. You just get
> extra functionality if you come from a known machine using a source
> port less than 1024.
So then you do understand the reason why someone might do this with DNS.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations
mailing list