Re: [dns-operations] query source port 53,

Tue, 12 Jun 2012 18:30:36 -0700 

> 
> 
> In message <201206122327.q5cnru5s077...@aurora.sol.net>, Joe Greco writes:
> > > In message <alpine.lsu.2.00.1206121230490.2...@hermes-2.csi.cam.ac.uk>, 
> > > Ton
> > y Fi
> > > nch writes:
> > > > Mark Andrews <ma...@isc.org> wrote:
> > > > >
> > > > > Perhaps because it is a legitimate, though unwise, client source port
> > > > > that is in lots of old configurations.
> > > > >
> > > > >       listen-on { <internal address>; };
> > > > >       query-source * port 53;
> > > > 
> > > > I did this back in the 1990s because it worked around occasional interop
> > > > problems, I think caused by over-enthusiastic firewall configurations 
> > > > tha
> > t
> > > > thought all DNS (queries and responses) should be on port 53. Several
> > > > years ago I found that things had changed and the popular over-
> > > > enthusiastic firewall configuration requires DNS query source ports to 
> > > > be
> > > > greater than 1023.
> > > 
> > > Both firewall configuration are broken.  You don't look at source
> > > ports if you are offering a service.
> > 
> > Sure you can.  And sometimes do.  That's what the whole privileged port
> > thing is about, right?  Sometimes it is desirable to constrain the 
> > possibilities for various reasons.
> 
> Even then you don't examine it in the firewall as those service
> still accept connections from non-reserved ports.  You just get
> extra functionality if you come from a known machine using a source
> port less than 1024.

So then you do understand the reason why someone might do this with DNS.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to