Suspecious DNS traffic
Niall O'Reilly
niall.oreilly at ucd.ie
Mon Mar 25 16:35:00 UTC 2013
On 25 Mar 2013, at 16:21, babu dheen wrote:
> Still not convinced because if i need to allow >1024 port from our DNS server to external world(internet).. where is the security?
>
> I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet?
Your DNS server will likely need to send queries to other DNS servers.
When it does this, it uses a destination port of 53 and a source port
from the range above 1024. It is important for security that it not
use a fixed source port, but rather pick one at random for each query.
[Hint: Google "source port randomization" (without the quotes)]
The reply to such a query originates from port 53 on the remote server,
and is destined for the port on your server which was used as the
source of the query. If you block access to high-numbered UDP ports on
your server, you block these replies. For TCP, allowing "established"
packet flows is usually sufficient to allow the replies to reach your
server.
Best regards,
Niall O'Reilly
More information about the bind-users
mailing list