Suspecious DNS traffic
babudheen at yahoo.co.in
Tue Mar 26 18:43:16 UTC 2013
I am using Stateful firewall from leading vendor company. So let me know why still my server initiate connection to remote DNS server on non standard destination port?
From: "WBrown at e1b.org" <WBrown at e1b.org>
To: babu dheen <babudheen at yahoo.co.in>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Sent: Monday, 25 March 2013 7:48 PM
Subject: Re: Suspecious DNS traffic
babu dheen wrote on 03/25/2013 12:21:30 PM:
> Still not convinced because if i need to allow >1024 port from our
> DNS server to external world(internet).. where is the security?
Total security requires total isolation. It is a matter of accepting some
risks to perform the needed task.
> I beleive we just need to allow TCP and UDP 53 from our DNS server
> to internet(any) which is already done. Not sure why we have to open
> non standard port from our DNS server to internet?
> Kindly provide some details.
You send request via UDP from random high port to an authoritative server.
Answer is too large to fit in UDP packet, so it responds via TCP to the
source port of the request (random high port from above). If you block
that TCP connection, you cannot receive answer to your query.
Another reason for TCP replies is DNS Response Rate Limiting (RRL).
Some "modern" stateful firewalls understand DNS and if there is a UDP
packet sent to port 53, it will accept TCP connections back from the
destination address on port 53 to the source address/port.
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users