Low numbered source port for queries
Kevin Darcy
kcd at daimlerchrysler.com
Sat Jul 21 00:08:43 UTC 2001
You shouldn't be getting DNS queries with source ports in the privileged
range other than port 53. Looks like a broken nameserver/resolver
configuration on the other end.
- Kevin
Chad M. Stewart wrote:
> All,
>
> The packet filters on my firewall are rejecting some DNS
> queries to my name server. From the books that I've read
> the rejections seem correct. Maybe the books are neglecting
> to tell me something.
>
> Below is my understanding of the possible packet flow over a
> firewall when there is an authoritative DNS server behind it.
> Sorry the syntax is for ipchains, but should be understandable
> all the same.
>
> The rejections in my log look like
>
> Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
> Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
> Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
>
> 17=UDP
> y.y.y.y - being the host on the Internet
> x.x.x.x - being my system
>
> The books I've read on dns and firewalls/packetfiltering don't
> mention or I have not read of a situation where the protocol
> is UDP and the source port is !=53 && <=1023. Instead the source
> port should be either 53 or >=1024. Am I missing something
> here or is the source server misconfiged?
>
> # DNS - UDP - client --> server
> ipchains --append output \
> --jump ACCEPT \
> --interface $EXTERNAL_INTERFACE \
> --source $LOCALHOST $DNS \
> --destination $EXTERNAL_NETWORK $UNPRIVPORTS \
> --protocol udp
>
> ipchains --append input \
> --jump ACCEPT \
> --interface $EXTERNAL_INTERFACE \
> --source $EXTERNAL_NETWORK $UNPRIVPORTS \
> --destination $LOCALHOST $DNS \
> --protocol udp
>
> # DNS - TCP - client --> server or server --> server
> ipchains --append output \
> --jump ACCEPT \
> --interface $EXTERNAL_INTERFACE \
> --source $LOCALHOST $DNS \
> --destination $EXTERNAL_NETWORK $UNPRIVPORTS \
> --protocol tcp ! -y
>
> ipchains --append input \
> --jump ACCEPT \
> --interface $EXTERNAL_INTERFACE \
> --source $EXTERNAL_NETWORK $UNPRIVPORTS \
> --destination $LOCALHOST $DNS \
> --protocol tcp
>
> # DNS - UDP - server --> server
> ipchains --append output \
> --jump ACCEPT \
> --interface $EXTERNAL_INTERFACE \
> --source $LOCALHOST $DNS \
> --destination $EXTERNAL_NETWORK $DNS \
> --protocol udp
>
> ipchains --append input \
> --jump ACCEPT \
> --interface $EXTERNAL_INTERFACE \
> --source $EXTERNAL_NETWORK $DNS \
> --destination $LOCALHOST $DNS \
> --protocol udp
>
> Thank you,
> Chad
More information about the bind-users
mailing list