BIND ignores queries from specific privileged source ports

Mark Andrews marka at isc.org
Sat Jun 8 02:44:34 UTC 2019 

Named drops those ports as they can be used in reflection attacks.
Sane NAT developers avoid those ports for just that reason.  The
full list is below.

static int
ns_client_dropport(in_port_t port) {
        switch (port) {
        case 7: /* echo */
        case 13: /* daytime */
        case 19: /* chargen */
        case 37: /* time */
                return (DROPPORT_REQUEST);
        case 464: /* kpasswd */
                return (DROPPORT_RESPONSE);
        }
        return (DROPPORT_NO);
}


> On 8 Jun 2019, at 7:56 am, Blake Hudson <blake at ispn.net> wrote:
> 
> Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but have also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated from specific privileged source ports but not others?
> 
> Example:
> 
> [root at ns ~]# dig +short -b 127.0.0.1 @localhost google.com
> 172.217.6.110
> [root at ns ~]# dig +short -b 127.0.0.1#10000 @localhost google.com
> 172.217.6.110
> [root at ns ~]# dig +short -b 127.0.0.1#50 @localhost google.com
> 172.217.6.110
> [root at ns ~]# dig +short -b 127.0.0.1#19 @localhost google.com
> ;; connection timed out; no servers could be reached
> [root at ns ~]# dig +short -b 127.0.0.1#14 @localhost google.com
> 172.217.6.110
> [root at ns ~]# dig +short -b 127.0.0.1#13 @localhost google.com
> ;; connection timed out; no servers could be reached
> 
> 
> While it would be ideal for clients to use source port randomization and initiate queries from random ephemeral ports, I don't control all the clients or the NAT routers in between the client and the server. Queries using a source port of 13 and 19 are dropped while queries from port 10000, 50, and 14 are answered. This has been confirmed via a network capture as well. I checked the ARM, but didn't see what knob(s) I could tweak to control this behavior. Anyone know?
> 
> Thanks,
> --Blake
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list