Re: [dns-operations] query source port 53,

Tue, 12 Jun 2012 18:54:11 -0700 

In message <201206130045.q5d0joit078...@aurora.sol.net>, Joe Greco writes:
> > 
> > 
> > In message <201206122327.q5cnru5s077...@aurora.sol.net>, Joe Greco writes:
> > > > In message <alpine.lsu.2.00.1206121230490.2...@hermes-2.csi.cam.ac.uk>,
>  Ton
> > > y Fi
> > > > nch writes:
> > > > > Mark Andrews <ma...@isc.org> wrote:
> > > > > >
> > > > > > Perhaps because it is a legitimate, though unwise, client source po
> rt
> > > > > > that is in lots of old configurations.
> > > > > >
> > > > > >     listen-on { <internal address>; };
> > > > > >     query-source * port 53;
> > > > > 
> > > > > I did this back in the 1990s because it worked around occasional inte
> rop
> > > > > problems, I think caused by over-enthusiastic firewall configurations
>  tha
> > > t
> > > > > thought all DNS (queries and responses) should be on port 53. Several
> > > > > years ago I found that things had changed and the popular over-
> > > > > enthusiastic firewall configuration requires DNS query source ports t
> o be
> > > > > greater than 1023.
> > > > 
> > > > Both firewall configuration are broken.  You don't look at source
> > > > ports if you are offering a service.
> > > 
> > > Sure you can.  And sometimes do.  That's what the whole privileged port
> > > thing is about, right?  Sometimes it is desirable to constrain the 
> > > possibilities for various reasons.
> > 
> > Even then you don't examine it in the firewall as those service
> > still accept connections from non-reserved ports.  You just get
> > extra functionality if you come from a known machine using a source
> > port less than 1024.
> 
> So then you do understand the reason why someone might do this with DNS.

No.  The DNS isn't a 'r*' protocol.  If you are advertising a
nameserver to the world is the zero, nada, no, none justifable
reason to look at the source port of the query.  You have no knowledge
about the client.  Even the 'r*' protocols, for all the flaws in
the security model, only paid attention to the source port when the
connection came from "trusted" machine otherwise they ignored the
port and requested that you login.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to