Suspecious DNS traffic

Novosielski, Ryan novosirj at umdnj.edu
Tue Mar 26 19:07:01 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Niall already answered you the other day (brackets mine):

"The reply to such a query [from your server] originates from port 53
on the remote server, and is destined for the port on your server
which was used as the source of the query[, which will be a randomly
chosen port above 1024 if you are doing things the way they are
usually done]."

On 03/26/2013 02:44 PM, babu dheen wrote:
> Dear Brown,
> 
> I am using Stateful firewall from leading vendor company. So let me
> know why still my server initiate connection to remote DNS server
> on non standard destination port?
> 
> Regards Babu
> 
> 
> *From:* "WBrown at e1b.org" <WBrown at e1b.org> *To:* babu dheen
> <babudheen at yahoo.co.in> *Cc:* "bind-users at lists.isc.org"
> <bind-users at lists.isc.org> *Sent:* Monday, 25 March 2013 7:48 PM 
> *Subject:* Re: Suspecious DNS traffic
> 
> babu dheen wrote on 03/25/2013 12:21:30 PM:
> 
>> Still not convinced because if i need to allow >1024 port from
>> our DNS server to external world(internet).. where is the
>> security?
> 
> Total security requires total isolation.  It is a matter of
> accepting some risks to perform the needed task.
> 
>> I beleive we just need to allow TCP and UDP 53 from our DNS
>> server to internet(any) which is already done. Not sure why we
>> have to open non standard port from our DNS server to internet?
>> 
>> Kindly provide some details.
> 
> You send request via UDP from random high port to an authoritative
> server. Answer is too large to fit in UDP packet, so it responds
> via TCP to the source port of the request (random high port from
> above).  If you block that TCP connection, you cannot receive
> answer to your query.
> 
> Another reason for TCP replies is DNS Response Rate Limiting
> (RRL).
> 
> Some "modern" stateful firewalls understand DNS and if there is a
> UDP packet sent to port 53, it will accept TCP connections back
> from the destination address on port 53 to the source
> address/port.
> 
> 
> 
> 
> 
> 
> Confidentiality Notice: This electronic message and any attachments
> may contain confidential or privileged information, and is intended
> only for the individual or entity identified above as the
> addressee. If you are not the addressee (or the employee or agent
> responsible to deliver it to the addressee), or if this message has
> been addressed to you in error, you are hereby notified that you
> may not copy, forward, disclose or use any part of this message or
> any attachments. Please notify the sender immediately by return
> e-mail or telephone and delete this message from your system.
> 
> 


- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlFR8dcACgkQmb+gadEcsb4r3ACeNPse/dcwDd/rkipAo/mO3iJ0
eScAoKn2IRu+JAnIWdGQEMjUWd6irdnv
=WVBw
-----END PGP SIGNATURE-----

More information about the bind-users mailing list