-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Niall already answered you the other day (brackets mine):
"The reply to such a query [from your server] originates from port 53 on the remote server, and is destined for the port on your server which was used as the source of the query[, which will be a randomly chosen port above 1024 if you are doing things the way they are usually done]." On 03/26/2013 02:44 PM, babu dheen wrote: > Dear Brown, > > I am using Stateful firewall from leading vendor company. So let me > know why still my server initiate connection to remote DNS server > on non standard destination port? > > Regards Babu > > > *From:* "wbr...@e1b.org" <wbr...@e1b.org> *To:* babu dheen > <babudh...@yahoo.co.in> *Cc:* "bind-users@lists.isc.org" > <bind-users@lists.isc.org> *Sent:* Monday, 25 March 2013 7:48 PM > *Subject:* Re: Suspecious DNS traffic > > babu dheen wrote on 03/25/2013 12:21:30 PM: > >> Still not convinced because if i need to allow >1024 port from >> our DNS server to external world(internet).. where is the >> security? > > Total security requires total isolation. It is a matter of > accepting some risks to perform the needed task. > >> I beleive we just need to allow TCP and UDP 53 from our DNS >> server to internet(any) which is already done. Not sure why we >> have to open non standard port from our DNS server to internet? >> >> Kindly provide some details. > > You send request via UDP from random high port to an authoritative > server. Answer is too large to fit in UDP packet, so it responds > via TCP to the source port of the request (random high port from > above). If you block that TCP connection, you cannot receive > answer to your query. > > Another reason for TCP replies is DNS Response Rate Limiting > (RRL). > > Some "modern" stateful firewalls understand DNS and if there is a > UDP packet sent to port 53, it will accept TCP connections back > from the destination address on port 53 to the source > address/port. > > > > > > > Confidentiality Notice: This electronic message and any attachments > may contain confidential or privileged information, and is intended > only for the individual or entity identified above as the > addressee. If you are not the addressee (or the employee or agent > responsible to deliver it to the addressee), or if this message has > been addressed to you in error, you are hereby notified that you > may not copy, forward, disclose or use any part of this message or > any attachments. Please notify the sender immediately by return > e-mail or telephone and delete this message from your system. > > - -- - ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFR8dcACgkQmb+gadEcsb4r3ACeNPse/dcwDd/rkipAo/mO3iJ0 eScAoKn2IRu+JAnIWdGQEMjUWd6irdnv =WVBw -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
