Suspecious DNS traffic

babu dheen babudheen at yahoo.co.in
Tue Mar 26 18:43:16 UTC 2013 

Dear Brown,
 
I am using Stateful firewall from leading vendor company. So let me know why still my server initiate connection to remote DNS server on non standard destination port?
 
Regards
Babu
 
 

________________________________
From: "WBrown at e1b.org" <WBrown at e1b.org>
To: babu dheen <babudheen at yahoo.co.in> 
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org> 
Sent: Monday, 25 March 2013 7:48 PM
Subject: Re: Suspecious DNS traffic

babu dheen wrote on 03/25/2013 12:21:30 PM:

> Still not convinced because if i need to allow >1024 port from  our 
> DNS server to external world(internet).. where is the security?

Total security requires total isolation.  It is a matter of accepting some 
risks to perform the needed task.

> I beleive we just need to allow TCP and UDP 53 from our DNS server 
> to internet(any) which is already done. Not sure why we have to open
> non standard port from our DNS server to internet?
> 
> Kindly provide some details.

You send request via UDP from random high port to an authoritative server. 
Answer is too large to fit in UDP packet, so it responds via TCP to the 
source port of the request (random high port from above).  If you block 
that TCP connection, you cannot receive answer to your query.

Another reason for TCP replies is DNS Response Rate Limiting (RRL). 

Some "modern" stateful firewalls understand DNS and if there is a UDP 
packet sent to port 53, it will accept TCP connections back from the 
destination address on port 53 to the source address/port.






Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130327/0b563e92/attachment.html>

More information about the bind-users mailing list