To:
dnsop@cafax.se
From:
ed@alcpress.com
Date:
Thu, 11 Jan 2001 10:50:04 -0800
Reply-To:
ed@alcpress.com
Sender:
owner-dnsop@cafax.se
Subject:
resolvers using non-ephemeral ports
From scanning firewall logs, I've noticed that some dns resolvers (or attackers) are using ports below 1024 when talking to a dns server. I've seen packets coming from ports 646, 665, 727, 737, 744, 904, and 960. These are a very small percentage of total dns queries however. This issue is important to me because I teach both dns and firewall courses. Normally, I would suggest to students that they block all ports below 1024 (except 53) for packets sent to the dns server. Now, this data makes me wonder if we're turning away good guys or bad guys. What's the official position on resolvers and ephemeral ports? Ed Sawicki