Re: resolvers using non-ephemeral ports

["Eric A. Hall" <ehall@ehsco.com>]

> This issue is important to me because I teach both dns
> and firewall courses. Normally, I would suggest to students
> that they block all ports below 1024 (except 53) for packets
> sent to the dns server. Now, this data makes me wonder if
> we're turning away good guys or bad guys.
> 
> What's the official position on resolvers and ephemeral ports?

RFC 1035 is the only almost-explicit discussion on it:

4.2.1. Messages sent using UDP user [sic] server port 53 (decimal).
4.2.2. Messages sent over TCP connections use server port 53 (decimal).

The Very Strict Reading of the complete clauses comes out as "resolvers
should use port 53 as their source port for queries." It isn't a MUST
(it's really only interpreted as a SHOULD by a Very Strict Reading) and
most resolvers use port numbers above 1023 for queries. A lot of servers
still use port 53 as the source port though.

If you want to be precise with your firewall rules, you could block any
traffic which is going to port 53 on your DNS server(s) which is not
coming from port 53 or one of the ports above 1023. Nobody should use any
ports below 1024 (other than port 53) as the source port for queries.

FWIW, the range of ephemereal port numbers was changed a while back. IANA
says (http://www.isi.edu/in-notes/iana/assignments/port-numbers):

The port numbers are divided into three ranges: the Well Known Ports, the
Registered Ports, and the Dynamic and/or Private Ports.

 The System (Well-Known) Ports are those from 0 through 1023.

 The User (Registered) Ports are those from 1024 through 49151.

 The Dynamic and/or Private Ports are those from 49152 through 65535.

An "ephemeral port number" is now technically considered to be one of the
dynamic port numbers in the range of 49152 through 65535. This doesn't
reflect popular usage.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/