To:
Jim Reid <Jim.Reid@nominum.com>, dnsop@cafax.se
From:
ed@alcpress.com
Date:
Thu, 11 Jan 2001 13:13:26 -0800
In-reply-to:
<30108.979242467@shell.nominum.com>
Reply-To:
ed@alcpress.com
Sender:
owner-dnsop@cafax.se
Subject:
Re: resolvers using non-ephemeral ports
On 11 Jan 2001, at 11:47, Jim Reid wrote: > >>>>> "ed" == ed <ed@alcpress.com> writes: > > ed> This issue is important to me because I teach both dns and > ed> firewall courses. Normally, I would suggest to students that > ed> they block all ports below 1024 (except 53) for packets sent > ed> to the dns server. Now, this data makes me wonder if we're > ed> turning away good guys or bad guys. > > ed> What's the official position on resolvers and ephemeral ports? > > I don't think there is one. <snip> > And what if a privileged UNIX application uses a port > number less than 1024 to query the name server? This is a compelling argument. You've convinced me. We simply cannot filter dns packets on the source port. Thanks, Ed