Suspecious DNS traffic

Niall O'Reilly niall.oreilly at
Mon Mar 25 16:35:00 UTC 2013

On 25 Mar 2013, at 16:21, babu dheen wrote:

> Still not convinced because if i need to allow >1024 port from  our DNS server to external world(internet).. where is the security?
> I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet?

	Your DNS server will likely need to send queries to other DNS servers.
	When it does this, it uses a destination port of 53 and a source port
	from the range above 1024.  It is important for security that it not
	use a fixed source port, but rather pick one at random for each query.
	[Hint: Google "source port randomization" (without the quotes)]

	The reply to such a query originates from port 53 on the remote server,
	and is destined for the port on your server which was used as the
	source of the query.  If you block access to high-numbered UDP ports on
	your server, you block these replies.  For TCP, allowing "established"
	packet flows is usually sufficient to allow the replies to reach your

	Best regards,
	Niall O'Reilly

More information about the bind-users mailing list