[dns-operations] query source port 53,
Mark Andrews
marka at isc.org
Wed Jun 13 01:52:45 UTC 2012
In message <201206130045.q5D0joIt078839 at aurora.sol.net>, Joe Greco writes:
> >
> >
> > In message <201206122327.q5CNRu5S077950 at aurora.sol.net>, Joe Greco writes:
> > > > In message <alpine.LSU.2.00.1206121230490.2122 at hermes-2.csi.cam.ac.uk>,
> Ton
> > > y Fi
> > > > nch writes:
> > > > > Mark Andrews <marka at isc.org> wrote:
> > > > > >
> > > > > > Perhaps because it is a legitimate, though unwise, client source po
> rt
> > > > > > that is in lots of old configurations.
> > > > > >
> > > > > > listen-on { <internal address>; };
> > > > > > query-source * port 53;
> > > > >
> > > > > I did this back in the 1990s because it worked around occasional inte
> rop
> > > > > problems, I think caused by over-enthusiastic firewall configurations
> tha
> > > t
> > > > > thought all DNS (queries and responses) should be on port 53. Several
> > > > > years ago I found that things had changed and the popular over-
> > > > > enthusiastic firewall configuration requires DNS query source ports t
> o be
> > > > > greater than 1023.
> > > >
> > > > Both firewall configuration are broken. You don't look at source
> > > > ports if you are offering a service.
> > >
> > > Sure you can. And sometimes do. That's what the whole privileged port
> > > thing is about, right? Sometimes it is desirable to constrain the
> > > possibilities for various reasons.
> >
> > Even then you don't examine it in the firewall as those service
> > still accept connections from non-reserved ports. You just get
> > extra functionality if you come from a known machine using a source
> > port less than 1024.
>
> So then you do understand the reason why someone might do this with DNS.
No. The DNS isn't a 'r*' protocol. If you are advertising a
nameserver to the world is the zero, nada, no, none justifable
reason to look at the source port of the query. You have no knowledge
about the client. Even the 'r*' protocols, for all the flaws in
the security model, only paid attention to the source port when the
connection came from "trusted" machine otherwise they ignored the
port and requested that you login.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list