To:
ed@alcpress.com
Cc:
Jim Reid <Jim.Reid@nominum.com>, dnsop@cafax.se
From:
Mark.Andrews@nominum.com
Date:
Fri, 12 Jan 2001 10:32:49 +1100
In-reply-to:
Your message of "Thu, 11 Jan 2001 13:13:26 -0800." <3A5DB176.24872.CDD8EF1@localhost>
Sender:
owner-dnsop@cafax.se
Subject:
Re: resolvers using non-ephemeral ports
> On 11 Jan 2001, at 11:47, Jim Reid wrote: > > > >>>>> "ed" == ed <ed@alcpress.com> writes: > > > > ed> This issue is important to me because I teach both dns and > > ed> firewall courses. Normally, I would suggest to students that > > ed> they block all ports below 1024 (except 53) for packets sent > > ed> to the dns server. Now, this data makes me wonder if we're > > ed> turning away good guys or bad guys. > > > > ed> What's the official position on resolvers and ephemeral ports? > > > > I don't think there is one. > <snip> > > And what if a privileged UNIX application uses a port > > number less than 1024 to query the name server? > > This is a compelling argument. You've convinced me. We > simply cannot filter dns packets on the source port. > > Thanks, > > Ed > > The nameserver it self has a short list of ports to silently reject queries from. i.e. don't send a query from echo. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com