Low numbered source port for queries

Kevin Darcy kcd at daimlerchrysler.com
Sat Jul 21 00:08:43 UTC 2001 

You shouldn't be getting DNS queries with source ports in the privileged
range other than port 53. Looks like a broken nameserver/resolver
configuration on the other end.


- Kevin

Chad M. Stewart wrote:

> All,
>
> The packet filters on my firewall are rejecting some DNS
> queries to my name server.  From the books that I've read
> the rejections seem correct.  Maybe the books are neglecting
> to tell me something.
>
> Below is my understanding of the possible packet flow over a
> firewall when there is an authoritative DNS server behind it.
> Sorry the syntax is for ipchains, but should be understandable
> all the same.
>
> The rejections in my log look like
>
> Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
> Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
> Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
>
> 17=UDP
> y.y.y.y - being the host on the Internet
> x.x.x.x - being my system
>
> The books I've read on dns and firewalls/packetfiltering don't
> mention or I have not read of a situation where the protocol
> is UDP and the source port is !=53 && <=1023.  Instead the source
> port should be either 53 or >=1024.  Am I missing something
> here or is the source server misconfiged?
>
> # DNS - UDP - client --> server
>   ipchains --append        output \
>            --jump          ACCEPT \
>            --interface     $EXTERNAL_INTERFACE \
>            --source        $LOCALHOST $DNS \
>            --destination   $EXTERNAL_NETWORK $UNPRIVPORTS \
>            --protocol      udp
>
>   ipchains --append        input \
>            --jump          ACCEPT \
>            --interface     $EXTERNAL_INTERFACE \
>            --source        $EXTERNAL_NETWORK $UNPRIVPORTS \
>            --destination   $LOCALHOST $DNS \
>            --protocol      udp
>
> # DNS - TCP - client --> server   or   server --> server
>   ipchains --append        output \
>            --jump          ACCEPT \
>            --interface     $EXTERNAL_INTERFACE \
>            --source        $LOCALHOST $DNS \
>            --destination   $EXTERNAL_NETWORK $UNPRIVPORTS \
>            --protocol      tcp ! -y
>
>   ipchains --append        input \
>            --jump          ACCEPT \
>            --interface     $EXTERNAL_INTERFACE \
>            --source        $EXTERNAL_NETWORK $UNPRIVPORTS \
>            --destination   $LOCALHOST $DNS \
>            --protocol      tcp
>
> # DNS - UDP - server --> server
>   ipchains --append        output \
>            --jump          ACCEPT \
>            --interface     $EXTERNAL_INTERFACE \
>            --source        $LOCALHOST $DNS \
>            --destination   $EXTERNAL_NETWORK $DNS \
>            --protocol      udp
>
>   ipchains --append        input \
>            --jump          ACCEPT \
>            --interface     $EXTERNAL_INTERFACE \
>            --source        $EXTERNAL_NETWORK $DNS \
>            --destination   $LOCALHOST $DNS \
>            --protocol      udp
>
> Thank you,
> Chad

More information about the bind-users mailing list