BIND ignores queries from specific privileged source ports
Grant Taylor
gtaylor at tnetconsulting.net
Mon Jun 10 22:01:55 UTC 2019
On 6/10/19 3:29 PM, Mark Andrews wrote:
> The primary issue here is that there is still source address spoofing
> happening so you have to consider what if this packet was spoofed. DNS
> uses UDP and is used as a reflector. The small services ports listed
> generate reply traffic.
>
> Additionally kpasswd and a DNS server can generate a self sustaining
> traffic loop if it is not suppressed.
I'm guessing that the reply / kpasswd traffic is not a valid DNS query.
As such, I would think that it's possible to detect this and respond
accordingly. If the incoming packet is not a valid DNS query and it's
from one of the aforementioned ports, ignore it / drop the outbound
error message.
If the incoming packet is a valid DNS query, then go ahead and reply.
> There are ~63500 ephemeral ports
Sadly, many things don't use that wide of an Ephemeral Port range by
default.
Per IANA, the 65536 possible port are divided into three ranges:
0 to 1023 for System
1024 to 49151 for User Ports
49152 to 65535 for Dynamic and / or Private Ports a.k.a. Ephemeral Ports
So, strictly adhering to IANA recommendations, there are only 16,384
Ephemeral Ports (14 bits).
This means that DNS administrators either use their OS default, adhere
to IANA's recommendation, or use something of their own choosing.
I guess "their own choosing" could be 1024-65535. That amounts to 64512
possible ports / ~15.98 bits. Conversely, 65536 ports amounts to 16 bits.
See my other replies for my questions about why BIND can't be more
selective in the replies it processes.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190610/e2c1351d/attachment-0001.bin>
More information about the bind-users
mailing list