Re: Dropping queries from some well-known ports

Fri, 03 Aug 2018 11:34:13 -0700 

On 08/03/2018 12:00 PM, Petr Menšík wrote:

Hi!


Hi,


Our internal support reached to me with question, why are some queries 
bound to low ports silently dropped.



Please clarify if you're saying "bound to" as in the code that 
originated the query came from said port or if you mean queries that are 
going to said port on the DNS server?



I have found there is feature for that, that will silently drop queries 
from selected ports.


That's new information to me.


I admit queries from such low ports are wrong.



I feel like such queries (from) low ports may be "unexpected", but I 
don't know that it's "wrong" per say.



But why are some ports allowed when some ports are not?



Based on the small list five ports, I'm guessing that these ports caused 
a problem and as such are blocked.



Should not it be configured by firewall instead?



I'm guessing that named filters the problematic ports as a function of 
protecting it's own stability or otherwise desired behavior.


I would expect that firewalls are more for security of the system.

Different scopes of problem use different solutions.


Just try this command: $ sudo dig @127.0.0.1 -b 127.0.0.1#32 localhost


If bind is running on local interface, it will drop the query. If any 
other server is running there, it will respond.



Bind has chosen to operate in this manner.  Other daemons may or may not 
make the same choice.



Does such feature make sense in year 2018? Can you remember what was 
motivation to implement it? Is it wise to still enable it by default, 
without at least configure option to disable it?



I suspect that bind chose to drop these specific source ports because 
they likely will result in more traffic back from the client.  As such, 
sort of causing a feedback loop.  Mind you, this is just a guess.



1. 
https://gitlab.isc.org/isc-projects/bind9/commit/05d32f6b0f6590ca22136b753309f070ce769000




--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to