Name Resolution issue with one domain
Mark Andrews
marka at isc.org
Wed Mar 21 23:07:23 UTC 2012
In message <040B89C8B1E1D945AE2700C511A039E915F0BA at ATMEXDB04.dsw.net>, "Lightne
r, Jeff" writes:
> I don’t think the target is blocking as I get the following:
Jeff, the servers *are* dropping packets sourced from port 53. By
default dig uses a ephemeral port assigned by the system. It doesn't
use port 53 as the nameserver uses that port. If you want to test
you need to force the source port like I did below. You may also
want to do a packet dump if you are running named on the machine
as the replies will go to named and not dig due to how the socket
code works.
By default, modern versions of named will use multiple ports. BIND
9, by default, has alway use ephemeral ports rather than port 53
to make queries. To make it use port 53 for queries you need to
configure it to do so in named.conf using query-source.
As for using port 53 to source queries, there are circumstances
where that is fine. When you know or can reasonably expect that
the answers will be signed. There is some risk that you will get
a spoofed response that will go undetected if this is not the case.
For most nameservers that risk is extremely low that you will be
targeted, however there are some cases where it isn't.
Mark
> dig www.dubaiairport.com
>
> ; <<>> DiG 9.8.1 <<>> www.dubaiairport.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36668
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.dubaiairport.com. IN A
>
> ;; ANSWER SECTION:
> www.dubaiairport.com. 7200 IN A 213.42.55.169
>
> ;; AUTHORITY SECTION:
> dubaiairport.com. 172799 IN NS dcaowa01.dubaiairport.com.
> dubaiairport.com. 172799 IN NS svr-b003.dubaiairport.com.
>
> ;; Query time: 337 msec
> ;; SERVER: 192.94.73.20#53(192.94.73.20)
> ;; WHEN: Wed Mar 21 19:25:08 2012
> ;; MSG SIZE rcvd: 100
>
> The point is your firewall should NOT block outbound queries for port 53
> or other ports. There is a well know cache poisoning attack based on
> knowing the outbound (source) port that is going to be used so the port
> should be randomized. Port 53 MUST be accessible on the target DNS
> server as that is the one that is going to answer the query.
>
>
>
>
>
>
> ________________________________
> From: bind-users-bounces+jlightner=water.com at lists.isc.org
> [mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
> Of babu dheen
> Sent: Wednesday, March 21, 2012 3:14 PM
> To: Matus UHLAR - fantomas; bind-users at lists.isc.org
> Subject: Re: Name Resolution issue with one domain
>
> Dear All,
>
> When i executed #dig www.dubaiairport.com<http://www.dubaiairport.com>, i
> am getting bleow response
>
> ; <<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com<http://www.dubaiairport.com>
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
> When i checked the firewall logs, as you all confirmed, traffic is
> leaving from both non standard and standard port. But firewall logs
> clearly shows that traffic from source port =53 and its getting dropped.
> But other DNS traffic towards various domains also going with source port
> 53 for which we have no issue.
>
> Is this port restriction done at remote domain firewall?
> Is there any way to enforce non standard port for this domain query at
> our BIND level from our side?
>
>
> Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151
> policy_id=20 service=dns proto=17 src zone=Inter-Connect dst
> zone=External action=Permit sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75
> src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated
> ip=213.42.52.75 port=53 session_id=512159 reason=Close - AGE OUT
>
> Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24
> service=dns proto=17 src zone=Inter-Connect dst zone=External
> action=Permit sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53
> dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75
> port=53 session_id=451904 reason=Close - AGE OUT
>
> Regards
> Babu
>
> From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
> To: bind-users at lists.isc.org
> Sent: Wednesday, 21 March 2012 11:41 AM
> Subject: Re: Name Resolution issue with one domain
>
> On 21.03.12 09:23, Mark Andrews wrote:
> >Stupid firewall rules in front of the nameservers. They block
> >traffic sent from port 53 which is the port lots of nameservers
> >used to send query traffic. When will firewall administrators learn
> >that the source ports can be anything, that they are not significant,
> >and that blocking traffic based on the source port is stupid.
>
> maybe the admin set that up to force local servers using random ports,
> instead of 53, for outgoing requests. Nobody should use port 53 for
> _ougtoing_ requests.
>
> >bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
> >09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
> www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
> >09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
> www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
> >09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A?
> www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
> >
> >; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com
> @svr-b003.dubaiairport.com
> >;; global options: +cmd
> >;; connection timed out; no servers could be reached
> >bsdi#
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk<mailto:uhlar at fantomas.sk> ;
> http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Quantum mechanics: The dreams stuff is made of.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
>
>
> Athena®, Created for the Cause™
>
> Making a Difference in the Fight Against Breast Cancer
>
>
>
>
>
> How and Why I Should Support Bottled Water!
> Do not relinquish your right to choose bottled water as a healthy
> alternative to beverages that contain sugar, calories, etc. Your support
> of bottled water will make a difference! Your signatures count! Go to
> http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
> sign a petition to support your right to always choose bottled water.
> Help fight federal and state issues, such as bottle deposits (or taxes)
> and organizations that want to ban the sale of bottled water. Support
> community curbside recycling programs. Support bottled water as a healthy
> way to maintain proper hydration. Our goal is 50,000 signatures. Share
> this petition with your friends and family today!
>
>
>
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
> confidential information and is for the sole use of the intended
> recipient(s). If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
> ----------------------------------
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list