BIND ignores queries from specific privileged source ports
Blake Hudson
blake at ispn.net
Mon Jun 10 17:56:07 UTC 2019
Barry Margolin wrote on 6/10/2019 11:18 AM:
> In article <mailman.677.1560175574.711.bind-users at lists.isc.org>,
> Blake Hudson <blake at ispn.net> wrote:
>
>> Thank you Mark. A popular NAT appliance manufacturer has some logic that
>> attempts to keep the translated source port close to the untranslated
>> source port which can sometimes result in the behavior I've described
>> where DNS queries use the well known source port of protocols that are
>> abuse prone:
> Why would the original source port be close to any of these low port
> numbers? Source ports should normally be ephemeral ports.
>
Barry, I agree with you 100%. Unfortunately, old clients may issue DNS
queries using a source (and destination) port of UDP 53. To do that in a
product released today would, in my opinion, be a defect or bug. It's
been reported to the vendor (Calix), but a fix remains forthcoming.
More information about the bind-users
mailing list