dig source port

Mon Aug 25 15:08:51 UTC 2003

>>>>> <lvobr at ies.etisalat.ae> writes:

    >>>> I have setup with firewall, and my nameserver source port is
    >>>> abcd, but I am unable to make the dig to use the same, thus
    >>>> firewall stops the dig random source port requests.
    >> 
    >>> So fix the firewall. It's broken.

    >> Don't you think that opening all random udp ports on the L3
    >> firewall for anybody who originates packet from his 53 upd
    >> port, is a luxury just to get a dig reply back ?

No. Not if I wanted to use dig to query public name servers on the
other side of the firewall.

It's you who wants to use dig through this misconfigured firewall. So
only you can decide whether that's a luxury or not. That'll depend on
your local circumstances that I don't know or care about. [Don't
bother telling us.] You must have thought there was some value in
using dig through this firewall, so I suppose this functionality is
not a luxury for you either.

    >> for me it is a luxury, and I will not do that to have simple
    >> dig command working, but exposing all random udp port on my
    >> internal recursive nameserver.

That's your choice. Your internal recursive name server shouldn't have
any other UDP ports in use anyway. All that runs on that box is a name
server, right? And all it would/should be getting from the outside to
some random port number would be query responses to the queries it made.
So if you've decided you want to block traffic from port 53 on the
outside to random UDP ports on the inside, you need to understand the
consequences. ie You won't be able to use lookup tools on the inside
of your net to query name servers on the outside.

If you can't/won't fix the firewall, you'll need another solution. For
instance you could put a box on the other side of the firewall and run
dig or whatever from there.

FYI the sample firewall/router ACL for DNS shown in "Building Internet
Firewalls" by Zwicky, Cooper & Chapman says it's OK to allow outbound
to port 53 to come from a random, unprivileged port and vice versa.

    >> Can somebody answer why dig in bind8 has it as a syntax but
    >> does not really implement it ?

Who cares? dig in BIND8 has long passed its use-by date. I doubt if
anyone actively supports it or is developing the code any more.

    >> also I can use +vc, which is less harmful in my case, if I open
    >> tcp established in our firewall.

I fail to see how using TCP instead of UDP for DNS traffic can be more
(or less) harmful. Define "harm". Please show how the choice of
transport protocol for DNS traffic has any bearing on this.

    >> I basically checks root servers responses by dig, from the
    >> internal recursive nameserver, to have some statistic.

Fine. You're unhappy that your self-imposed firewall policy doesn't
allow this. So why not do something about that instead of asking why
the world's DNS software hasn't been changed to accommodate your policy?

    >> btw, the source-query address port, has a very valid point for
    >> named from security point of view, why it is surprising for dig
    >> or nslookup to have the same ?

Well dig and nslookup are not name servers. They don't normally need
to be used across firewalls. Name servers sometimes do. So they might
need to set the source address and port number to deal with less than
clueful firewall policies. This is a legacy from the BIND4 days when
port 53 was used for outbound queries and their replies and some
misguided people set up their firewalls accordingly.

If you don't like what dig offers, feel free to contribute a patch.