Low numbered source port for queries

Barry Margolin barmar at genuity.net
Tue Jul 31 16:11:46 UTC 2001


In article <9jd8sn$egg at pub3.rc.vix.com>,
Ian Northeast  <ian at house-from-hell.demon.co.uk> wrote:
>Ian Northeast wrote:
>> Or a broken NAT router, which translates 53 to another low port instead
>> of a high one. The one we use at work running Checkpoint Firewall-1
>> seems to do this, and the result is that bind4 servers or bind8/9
>> servers sending queries on port 53 on parts of the network which are
>> subject to NAT cannot resolve a few domains - like amotken.com.
>
>For the record, I have been in contact with Chad and we have ascertained
>that this is indeed the problem, at least for me. Chad's firewall logs
>prove that our firewall is broken, and is translating 53 to e.g. 712. I
>am taking the matter up with our firewall admins. This is a firewall
>problem, not a DNS one.

IMHO, this is *not* broken if the firewall is translating all source
addresses to a single address (i.e. it's doing IP masquerading instead of
NAT into a pool of addresses).  In this case, it has to do source port
translation so that it can tell which client to send the reply back to.  If
it left the source port set to 53, then if two nameservers behind the
firewall sent simultaneous queries to the same outside server, the replies
would be ambiguous.

And the rule of translating privileged ports to other privileged ports is
for the benefit of protocols like RSH and LPD, which require the source
port to be in the privileged range as part of their simplistic security
architecture (this thread is not the appropriate place to discuss the
merits of this design, it's simply a fact that the firewall has to deal
with).

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.


More information about the bind-users mailing list