Suspecious DNS traffic
Novosielski, Ryan
novosirj at umdnj.edu
Tue Mar 26 19:07:01 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Niall already answered you the other day (brackets mine):
"The reply to such a query [from your server] originates from port 53
on the remote server, and is destined for the port on your server
which was used as the source of the query[, which will be a randomly
chosen port above 1024 if you are doing things the way they are
usually done]."
On 03/26/2013 02:44 PM, babu dheen wrote:
> Dear Brown,
>
> I am using Stateful firewall from leading vendor company. So let me
> know why still my server initiate connection to remote DNS server
> on non standard destination port?
>
> Regards Babu
>
>
> *From:* "WBrown at e1b.org" <WBrown at e1b.org> *To:* babu dheen
> <babudheen at yahoo.co.in> *Cc:* "bind-users at lists.isc.org"
> <bind-users at lists.isc.org> *Sent:* Monday, 25 March 2013 7:48 PM
> *Subject:* Re: Suspecious DNS traffic
>
> babu dheen wrote on 03/25/2013 12:21:30 PM:
>
>> Still not convinced because if i need to allow >1024 port from
>> our DNS server to external world(internet).. where is the
>> security?
>
> Total security requires total isolation. It is a matter of
> accepting some risks to perform the needed task.
>
>> I beleive we just need to allow TCP and UDP 53 from our DNS
>> server to internet(any) which is already done. Not sure why we
>> have to open non standard port from our DNS server to internet?
>>
>> Kindly provide some details.
>
> You send request via UDP from random high port to an authoritative
> server. Answer is too large to fit in UDP packet, so it responds
> via TCP to the source port of the request (random high port from
> above). If you block that TCP connection, you cannot receive
> answer to your query.
>
> Another reason for TCP replies is DNS Response Rate Limiting
> (RRL).
>
> Some "modern" stateful firewalls understand DNS and if there is a
> UDP packet sent to port 53, it will accept TCP connections back
> from the destination address on port 53 to the source
> address/port.
>
>
>
>
>
>
> Confidentiality Notice: This electronic message and any attachments
> may contain confidential or privileged information, and is intended
> only for the individual or entity identified above as the
> addressee. If you are not the addressee (or the employee or agent
> responsible to deliver it to the addressee), or if this message has
> been addressed to you in error, you are hereby notified that you
> may not copy, forward, disclose or use any part of this message or
> any attachments. Please notify the sender immediately by return
> e-mail or telephone and delete this message from your system.
>
>
- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlFR8dcACgkQmb+gadEcsb4r3ACeNPse/dcwDd/rkipAo/mO3iJ0
eScAoKn2IRu+JAnIWdGQEMjUWd6irdnv
=WVBw
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list