Suspecious DNS traffic

Novosielski, Ryan novosirj at
Tue Mar 26 19:07:01 UTC 2013

Hash: SHA1

Niall already answered you the other day (brackets mine):

"The reply to such a query [from your server] originates from port 53
on the remote server, and is destined for the port on your server
which was used as the source of the query[, which will be a randomly
chosen port above 1024 if you are doing things the way they are
usually done]."

On 03/26/2013 02:44 PM, babu dheen wrote:
> Dear Brown,
> I am using Stateful firewall from leading vendor company. So let me
> know why still my server initiate connection to remote DNS server
> on non standard destination port?
> Regards Babu
> *From:* "WBrown at" <WBrown at> *To:* babu dheen
> <babudheen at> *Cc:* "bind-users at"
> <bind-users at> *Sent:* Monday, 25 March 2013 7:48 PM 
> *Subject:* Re: Suspecious DNS traffic
> babu dheen wrote on 03/25/2013 12:21:30 PM:
>> Still not convinced because if i need to allow >1024 port from
>> our DNS server to external world(internet).. where is the
>> security?
> Total security requires total isolation.  It is a matter of
> accepting some risks to perform the needed task.
>> I beleive we just need to allow TCP and UDP 53 from our DNS
>> server to internet(any) which is already done. Not sure why we
>> have to open non standard port from our DNS server to internet?
>> Kindly provide some details.
> You send request via UDP from random high port to an authoritative
> server. Answer is too large to fit in UDP packet, so it responds
> via TCP to the source port of the request (random high port from
> above).  If you block that TCP connection, you cannot receive
> answer to your query.
> Another reason for TCP replies is DNS Response Rate Limiting
> (RRL).
> Some "modern" stateful firewalls understand DNS and if there is a
> UDP packet sent to port 53, it will accept TCP connections back
> from the destination address on port 53 to the source
> address/port.
> Confidentiality Notice: This electronic message and any attachments
> may contain confidential or privileged information, and is intended
> only for the individual or entity identified above as the
> addressee. If you are not the addressee (or the employee or agent
> responsible to deliver it to the addressee), or if this message has
> been addressed to you in error, you are hereby notified that you
> may not copy, forward, disclose or use any part of this message or
> any attachments. Please notify the sender immediately by return
> e-mail or telephone and delete this message from your system.

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined -


More information about the bind-users mailing list