Correct Ports?
Josh Littlefield
joshl at cisco.com
Wed Jun 6 20:22:52 UTC 2001
One reason this is a bad idea is that it doesn't account for the firewall
behavior of people querying you. For example, if an enterprise server is
sending from port 53, but is behind a Cisco PIX firewall which is doing
NAT/PAT, the source port will be mapped to another port < 1024. You will
reject this packet, and that enterprise will be unable to resolve names in
your zone. This happens more than you might imagine.
Peter Billson wrote:
>
> Can anyone tell me if there is a good reason to allow connections to
> a local DNS port(53) from remote privledges ports(< 1024)?
>
> As I understand it *all* DNS is one of:
> local port remote port
> (53) <-> (53)
> (1024:65535) -> (53)
> (53) <- (1024:65535)
>
> and there should never be:
> local remote
> (53) <- (1:1023)
> (1:1023) -> (53)
>
> pete
> --
> http://www.elbnet.com
> ELB Internet Services, Inc.
> Web Design, Computer Consulting, Internet Hosting
--
=====================================================================
Josh Littlefield Cisco Systems, Inc.
joshl at cisco.com 250 Apollo Drive
tel: 978-244-8378 fax: same Chelmsford, MA 01824-3627
More information about the bind-users
mailing list