BIND ignores queries from specific privileged source ports

Blake Hudson blake at ispn.net
Mon Jun 10 14:05:55 UTC 2019 

Thank you Mark. A popular NAT appliance manufacturer has some logic that 
attempts to keep the translated source port close to the untranslated 
source port which can sometimes result in the behavior I've described 
where DNS queries use the well known source port of protocols that are 
abuse prone: 
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/nat-basics.html#ID-2090-00000438

I don't see a configuration option within BIND to change that behavior, 
just a BIND compile time option (which I probably won't change since 
software and upgrades are managed via yum/apt). I will look for another 
avenue to resolve this issue.

--Blake

Mark Andrews wrote on 6/7/2019 9:44 PM:
> Named drops those ports as they can be used in reflection attacks.
> Sane NAT developers avoid those ports for just that reason.  The
> full list is below.
>
> static int
> ns_client_dropport(in_port_t port) {
>          switch (port) {
>          case 7: /* echo */
>          case 13: /* daytime */
>          case 19: /* chargen */
>          case 37: /* time */
>                  return (DROPPORT_REQUEST);
>          case 464: /* kpasswd */
>                  return (DROPPORT_RESPONSE);
>          }
>          return (DROPPORT_NO);
> }
>
>
>> On 8 Jun 2019, at 7:56 am, Blake Hudson <blake at ispn.net> wrote:
>>
>> Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but have also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated from specific privileged source ports but not others?
>>
>> Example:
>>
>> [root at ns ~]# dig +short -b 127.0.0.1 @localhost google.com
>> 172.217.6.110
>> [root at ns ~]# dig +short -b 127.0.0.1#10000 @localhost google.com
>> 172.217.6.110
>> [root at ns ~]# dig +short -b 127.0.0.1#50 @localhost google.com
>> 172.217.6.110
>> [root at ns ~]# dig +short -b 127.0.0.1#19 @localhost google.com
>> ;; connection timed out; no servers could be reached
>> [root at ns ~]# dig +short -b 127.0.0.1#14 @localhost google.com
>> 172.217.6.110
>> [root at ns ~]# dig +short -b 127.0.0.1#13 @localhost google.com
>> ;; connection timed out; no servers could be reached
>>
>>
>> While it would be ideal for clients to use source port randomization and initiate queries from random ephemeral ports, I don't control all the clients or the NAT routers in between the client and the server. Queries using a source port of 13 and 19 are dropped while queries from port 10000, 50, and 14 are answered. This has been confirmed via a network capture as well. I checked the ARM, but didn't see what knob(s) I could tweak to control this behavior. Anyone know?
>>
>> Thanks,
>> --Blake
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list