To:
ed@alcpress.com
CC:
dnsop@cafax.se
From:
"Eric A. Hall" <ehall@ehsco.com>
Date:
Thu, 11 Jan 2001 11:36:09 -0800
Sender:
owner-dnsop@cafax.se
Subject:
Re: resolvers using non-ephemeral ports
> This issue is important to me because I teach both dns > and firewall courses. Normally, I would suggest to students > that they block all ports below 1024 (except 53) for packets > sent to the dns server. Now, this data makes me wonder if > we're turning away good guys or bad guys. > > What's the official position on resolvers and ephemeral ports? RFC 1035 is the only almost-explicit discussion on it: 4.2.1. Messages sent using UDP user [sic] server port 53 (decimal). 4.2.2. Messages sent over TCP connections use server port 53 (decimal). The Very Strict Reading of the complete clauses comes out as "resolvers should use port 53 as their source port for queries." It isn't a MUST (it's really only interpreted as a SHOULD by a Very Strict Reading) and most resolvers use port numbers above 1023 for queries. A lot of servers still use port 53 as the source port though. If you want to be precise with your firewall rules, you could block any traffic which is going to port 53 on your DNS server(s) which is not coming from port 53 or one of the ports above 1023. Nobody should use any ports below 1024 (other than port 53) as the source port for queries. FWIW, the range of ephemereal port numbers was changed a while back. IANA says (http://www.isi.edu/in-notes/iana/assignments/port-numbers): The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The System (Well-Known) Ports are those from 0 through 1023. The User (Registered) Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those from 49152 through 65535. An "ephemeral port number" is now technically considered to be one of the dynamic port numbers in the range of 49152 through 65535. This doesn't reflect popular usage. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/