To:
ed@alcpress.com
Cc:
dnsop@cafax.se
From:
Jim Reid <Jim.Reid@nominum.com>
Date:
Thu, 11 Jan 2001 11:47:47 -0800
In-Reply-To:
Message from ed@alcpress.com of "Thu, 11 Jan 2001 10:50:04 PST." <3A5D8FDC.8831.C5A4C03@localhost>
Sender:
owner-dnsop@cafax.se
Subject:
Re: resolvers using non-ephemeral ports
>>>>> "ed" == ed <ed@alcpress.com> writes:
ed> This issue is important to me because I teach both dns and
ed> firewall courses. Normally, I would suggest to students that
ed> they block all ports below 1024 (except 53) for packets sent
ed> to the dns server. Now, this data makes me wonder if we're
ed> turning away good guys or bad guys.
ed> What's the official position on resolvers and ephemeral ports?
I don't think there is one. AFAIK, there's nothing in the RFCs
indicating what source ports must or must not be used when sending
queries. So probably all ports should be allowed to send stuff to port
53. BIND 8 and 9 will use a random, unprivileged port by default, but
who knows what other implementations do (by accident or design)? The
concept of privileged ports is pretty much UNIX-specific so all bets
will be off for other OSes anyway. Ephemeral ports probably vary by
platform too. And what if a privileged UNIX application uses a port
number less than 1024 to query the name server? Or how about the folk
who explicitly set up their name servers to use a fixed, privileged
port for outgoing queries and let that traffic through the firewall?