To:
ed@alcpress.com
Cc:
dnsop@cafax.se
From:
Jim Reid <Jim.Reid@nominum.com>
Date:
Thu, 11 Jan 2001 11:47:47 -0800
In-Reply-To:
Message from ed@alcpress.com of "Thu, 11 Jan 2001 10:50:04 PST." <3A5D8FDC.8831.C5A4C03@localhost>
Sender:
owner-dnsop@cafax.se
Subject:
Re: resolvers using non-ephemeral ports
>>>>> "ed" == ed <ed@alcpress.com> writes: ed> This issue is important to me because I teach both dns and ed> firewall courses. Normally, I would suggest to students that ed> they block all ports below 1024 (except 53) for packets sent ed> to the dns server. Now, this data makes me wonder if we're ed> turning away good guys or bad guys. ed> What's the official position on resolvers and ephemeral ports? I don't think there is one. AFAIK, there's nothing in the RFCs indicating what source ports must or must not be used when sending queries. So probably all ports should be allowed to send stuff to port 53. BIND 8 and 9 will use a random, unprivileged port by default, but who knows what other implementations do (by accident or design)? The concept of privileged ports is pretty much UNIX-specific so all bets will be off for other OSes anyway. Ephemeral ports probably vary by platform too. And what if a privileged UNIX application uses a port number less than 1024 to query the name server? Or how about the folk who explicitly set up their name servers to use a fixed, privileged port for outgoing queries and let that traffic through the firewall?