BIND and firewall port numbers...

Simon Waters Simon at wretched.demon.co.uk
Mon Aug 27 22:16:23 UTC 2001 

meliorasf wrote:
> 
> Is there an upper limit to the "port numbers greater than 1023" used by
> BIND that can be assumed?  In my case, a firewall is greatly compromised
> if I have to leave all ports above 1023 wide open.  In other words, does
> bind USUALLY use port numbers, say, between 1023 and
> <some_other_number>, for example?  Does anyone have a rough idea of what
> the <some_other_number> generally is?

BIND is using the anonymous port range of your OS. 

This will be above 1023 for all OSes (I hope) but for example
some Solaris versions use a range that starts at a much higher
port. The range is specifiable in kernel parameters for some
operating systems, and will affect most IP based applications.

In this sense DNS servers are fairly typical of all IP
applications, the server listens on a well known port (53), and
the clients query from the anonymous port range to the well
known port. The only oddities are that the server process is
sometimes also the client process, and that we require both UDP
and TCP.

For typical use with DNS you need to allow outgoing connections
from the anonymous ports on your DNS servers to port 53 on any
remote system. 

Most modern firewalls go further and will track the DNS
conversation on a "my internal name server asked external server
fred something, so this response from fred is allowed in", but
objects if say "fred" were to ask a question rather than send an
answer.

> I have also read that instead of using a random port greater than 1023,
> you can specify another port for BIND to use (even 53) for those
> services.  Does this introduce any problems if you do use this port?

No problems that I know of, as this is how BIND worked in the
old days - but it makes it harder to distinguish traffic so you
might like to check you have disabled all inappropriate incoming
packets at the DNS level (e.g. queries or updates from Internet
addresses etc).

The firewall purist in my hopes you do something more
sophisticated than "all traffic to/from port 53 on my internal
nameservers from/to external port 53 on external servers is
allowed". 

Read the firewall manual, I mean if they haven't done something
smart with DNS (which is the first protocol most people ever
have to firewall), it doesn't bode well for the rest of your
firewalling.

-- 
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework

More information about the bind-users mailing list