Suspecious DNS traffic
novosirj at umdnj.edu
Tue Mar 26 19:07:01 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Niall already answered you the other day (brackets mine):
"The reply to such a query [from your server] originates from port 53
on the remote server, and is destined for the port on your server
which was used as the source of the query[, which will be a randomly
chosen port above 1024 if you are doing things the way they are
On 03/26/2013 02:44 PM, babu dheen wrote:
> Dear Brown,
> I am using Stateful firewall from leading vendor company. So let me
> know why still my server initiate connection to remote DNS server
> on non standard destination port?
> Regards Babu
> *From:* "WBrown at e1b.org" <WBrown at e1b.org> *To:* babu dheen
> <babudheen at yahoo.co.in> *Cc:* "bind-users at lists.isc.org"
> <bind-users at lists.isc.org> *Sent:* Monday, 25 March 2013 7:48 PM
> *Subject:* Re: Suspecious DNS traffic
> babu dheen wrote on 03/25/2013 12:21:30 PM:
>> Still not convinced because if i need to allow >1024 port from
>> our DNS server to external world(internet).. where is the
> Total security requires total isolation. It is a matter of
> accepting some risks to perform the needed task.
>> I beleive we just need to allow TCP and UDP 53 from our DNS
>> server to internet(any) which is already done. Not sure why we
>> have to open non standard port from our DNS server to internet?
>> Kindly provide some details.
> You send request via UDP from random high port to an authoritative
> server. Answer is too large to fit in UDP packet, so it responds
> via TCP to the source port of the request (random high port from
> above). If you block that TCP connection, you cannot receive
> answer to your query.
> Another reason for TCP replies is DNS Response Rate Limiting
> Some "modern" stateful firewalls understand DNS and if there is a
> UDP packet sent to port 53, it will accept TCP connections back
> from the destination address on port 53 to the source
> Confidentiality Notice: This electronic message and any attachments
> may contain confidential or privileged information, and is intended
> only for the individual or entity identified above as the
> addressee. If you are not the addressee (or the employee or agent
> responsible to deliver it to the addressee), or if this message has
> been addressed to you in error, you are hereby notified that you
> may not copy, forward, disclose or use any part of this message or
> any attachments. Please notify the sender immediately by return
> e-mail or telephone and delete this message from your system.
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the bind-users