Tony Finch wrote on 6/11/2019 4:23 AM:
Mark Andrews wrote:
As for the NAT box that chooses those ports. If you can’t keep the
original port it should choose a ephemeral port at random. Choosing a
well known port is problematic for lots of reasons.
If I understand the documentation that was l
Mark Andrews wrote:
> As for the NAT box that chooses those ports. If you can’t keep the
> original port it should choose a ephemeral port at random. Choosing a
> well known port is problematic for lots of reasons.
If I understand the documentation that was linked previously
https://www.cisco.c
On 6/10/19 4:56 PM, Mark Andrews wrote:
Named is already selective about what it doesn’t reply to.
* Packets < 12 octets (DNS header size) don’t get a reply.
* QR=1 doesn’t get a reply.
* Source port 0 doesn’t get a reply (source port 0 is “discard me”).
* Kpasswd doesn’t get FORMERR.
* echo, ch
> On 11 Jun 2019, at 8:01 am, Grant Taylor via bind-users
> wrote:
>
> On 6/10/19 3:29 PM, Mark Andrews wrote:
>> The primary issue here is that there is still source address spoofing
>> happening so you have to consider what if this packet was spoofed. DNS uses
>> UDP and is used as a refl
On 6/10/19 3:29 PM, Mark Andrews wrote:
The primary issue here is that there is still source address spoofing
happening so you have to consider what if this packet was spoofed. DNS
uses UDP and is used as a reflector. The small services ports listed
generate reply traffic.
Additionally kpassw
The primary issue here is that
there is still source address spoofing happening so you have to consider what
if this packet was spoofed. DNS uses UDP and is used as a reflector. The small
services ports listed generate reply traffic.
Additionally kpasswd and a DNS server can generate a self su
On Mon, Jun 10, 2019 at 12:37 PM Grant Taylor via bind-users
wrote:
>
> On 6/7/19 8:44 PM, Mark Andrews wrote:
> > Named drops those ports as they can be used in reflection attacks.
> > Sane NAT developers avoid those ports for just that reason. The full
> > list is below.
>
> I understand the lo
Barry Margolin wrote on 6/10/2019 11:18 AM:
In article ,
Blake Hudson wrote:
Thank you Mark. A popular NAT appliance manufacturer has some logic that
attempts to keep the translated source port close to the untranslated
source port which can sometimes result in the behavior I've described
On 6/7/19 8:44 PM, Mark Andrews wrote:
Named drops those ports as they can be used in reflection attacks.
Sane NAT developers avoid those ports for just that reason. The full
list is below.
I understand the logic behind avoiding potentially problematic ports.
But I don't understand the actua
On 6/10/19 10:18 AM, Barry Margolin wrote:
Why would the original source port be close to any of these low port
numbers? Source ports should normally be ephemeral ports.
There has been some movement afoot in the last 10 years or so to use
more of the 65,535 ports as the source port for securit
In article ,
Blake Hudson wrote:
> Thank you Mark. A popular NAT appliance manufacturer has some logic that
> attempts to keep the translated source port close to the untranslated
> source port which can sometimes result in the behavior I've described
> where DNS queries use the well known so
Thank you Mark. A popular NAT appliance manufacturer has some logic that
attempts to keep the translated source port close to the untranslated
source port which can sometimes result in the behavior I've described
where DNS queries use the well known source port of protocols that are
abuse prone
Named drops those ports as they can be used in reflection attacks.
Sane NAT developers avoid those ports for just that reason. The
full list is below.
static int
ns_client_dropport(in_port_t port) {
switch (port) {
case 7: /* echo */
case 13: /* daytime */
case 19:
Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but
have also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated
from specific privileged source ports but not others?
Example:
[root@ns ~]# dig +short -b 127.0.0.1 @localhost google.com
172.217.6.110
[root@ns ~]# di
14 matches
Mail list logo
