On 6/10/19 3:29 PM, Mark Andrews wrote:
The primary issue here is that there is still source address spoofing happening so you have to consider what if this packet was spoofed. DNS uses UDP and is used as a reflector. The small services ports listed generate reply traffic.Additionally kpasswd and a DNS server can generate a self sustaining traffic loop if it is not suppressed.
I'm guessing that the reply / kpasswd traffic is not a valid DNS query.As such, I would think that it's possible to detect this and respond accordingly. If the incoming packet is not a valid DNS query and it's from one of the aforementioned ports, ignore it / drop the outbound error message.
If the incoming packet is a valid DNS query, then go ahead and reply.
There are ~63500 ephemeral ports
Sadly, many things don't use that wide of an Ephemeral Port range by default.
Per IANA, the 65536 possible port are divided into three ranges:
0 to 1023 for System
1024 to 49151 for User Ports
49152 to 65535 for Dynamic and / or Private Ports a.k.a. Ephemeral Ports
So, strictly adhering to IANA recommendations, there are only 16,384
Ephemeral Ports (14 bits).
This means that DNS administrators either use their OS default, adhere to IANA's recommendation, or use something of their own choosing.
I guess "their own choosing" could be 1024-65535. That amounts to 64512 possible ports / ~15.98 bits. Conversely, 65536 ports amounts to 16 bits.
See my other replies for my questions about why BIND can't be more selective in the replies it processes.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
