How do I disable high ports?

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Tue Jan 28 19:39:58 UTC 2003 

Mark <admin at asarian-host.net> wrote:
> <phn at icke-reklam.ipsec.nu> wrote in message
> news:b15agi$23c$1 at isrv4.isc.org...

>> Mark <admin at asarian-host.net> wrote:
>>
>> > Hi,
>>
>> > I am having a bit of a problem. When other servers query my name server
>> > s, they send queries with a source port of 53; but apparently my BIND
>> > (8.3.4) is responding from a high port. And this is causing some
>> > trouble. :( How can I prevent that??
>>
>> > Please, I am really in a BIND, as they say. :)
>>
>> You seem to have faulty Firewall-rules. Fix them.

> I am not sure what you mean. If you are suggesting I am instructing my
> firewall to redirect traffic from port 53 to a higher port (out), I am not.

> In my "options" section I have

>     query-source address * port 53;

> But my log is filled with entries like these:

> Accept UDP 10.0.0.2:53 194.112.32.1:1024 out via rl0
> Accept UDP 10.0.0.2:53 209.73.14.10:38992 out via rl0
> Accept UDP 10.0.0.2:53 165.250.91.52:53 out via rl0
> Accept UDP 10.0.0.2:53 209.73.14.10:38992 out via rl0
> Accept UDP 10.0.0.2:53 15.243.160.33:32857 out via rl0
> Accept UDP 10.0.0.2:53 194.205.246.130:42876 out via rl0
> Accept UDP 10.0.0.2:53 198.49.218.20:53 out via rl0
> Accept UDP 10.0.0.2:53 203.2.75.109:53 out via rl0
> Accept UDP 10.0.0.2:53 146.18.16.248:53 out via rl0
> Accept UDP 10.0.0.2:53 15.251.160.31:32852 out via rl0
> Accept UDP 10.0.0.2:53 15.251.160.31:32852 out via rl0

> Which seems to suggest that for outgoing UPD a random high port is being
> used. :( And I do not understand why. :(

> - Mark

Bind-4 used to send it's own queries from port 53. bind-8/9 does not,
instead a "random port" is used.

So even if clients asks your nameserver on port 53, you must 
allow the nameserver to send queries to other nameservers, where
your nameserver uses a random source port, but the destination
port is 53.

Older firewall admins have been observed to think that dns traffic
is from port 53 to port 53. That is wrong.




-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list