Suspecious DNS traffic

Mark Andrews marka at
Tue Mar 26 19:05:56 UTC 2013

In message <1364323396.89012.YahooMailNeo at>, babu d
heen writes:
> Dear Brown,
> I am using Stateful firewall from leading vendor company.

And you have not configured it correctly.

> So let me know 
> why still my server initiate connection to remote DNS server on non 
> standard destination port?

It doesn't.  You send to port 53 from any port.  The replies come
back from port 53 to any port.  A properly configured stateful
firewall lets these reply packets in.  Your firewall is dropping
them.  I do mean any port not just those greater 1024.

A stateful firewall still needs to be configured to record the state
necessary to identify the reply packets.

     pass out quick proto udp from any to any keep state keep frag

This say to record that we sent a UDP packet from any address and
port to any other address and port so that we will accept the reply
traffic and also to not block UDP fragments.  For UDP that state table
entry will exist for a few seconds before it is cleaned up.

For TCP the firewall will track the TCP state transitions.


> Regards
> Babu
> ________________________________
> From: "WBrown at" <WBrown at>
> To: babu dheen <babudheen at> 
> Cc: "bind-users at" <bind-users at> 
> Sent: Monday, 25 March 2013 7:48 PM
> Subject: Re: Suspecious DNS traffic
> babu dheen wrote on 03/25/2013 12:21:30 PM:
> > Still not convinced because if i need to allow >1024 port from  our 
> > DNS server to external world(internet).. where is the security?
> Total security requires total isolation.  It is a matter of accepting 
> some 
> risks to perform the needed task.
> > I beleive we just need to allow TCP and UDP 53 from our DNS server 
> > to internet(any) which is already done. Not sure why we have to open
> > non standard port from our DNS server to internet?
> > 
> > Kindly provide some details.
> You send request via UDP from random high port to an authoritative 
> server. 
> Answer is too large to fit in UDP packet, so it responds via TCP to the 
> source port of the request (random high port from above).  If you block 
> that TCP connection, you cannot receive answer to your query.
> Another reason for TCP replies is DNS Response Rate Limiting (RRL). 
> Some "modern" stateful firewalls understand DNS and if there is a UDP 
> packet sent to port 53, it will accept TCP connections back from the 
> destination address on port 53 to the source address/port.
> Confidentiality Notice: 
> This electronic message and any attachments may contain confidential or 
> privileged information, and is intended only for the individual or entity 
> identified above as the addressee. If you are not the addressee (or the 
> employee or agent responsible to deliver it to the addressee), or if this 
> message has been addressed to you in error, you are hereby notified that 
> you may not copy, forward, disclose or use any part of this message or 
> any 
> attachments. Please notify the sender immediately by return e-mail or 
> telephone and delete this message from your system.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list