<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="RIGHT: auto">Dear Brown,</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">I am using Stateful firewall from leading vendor company. So let me know why still my server initiate connection to remote DNS server on non standard destination port?</div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto">Regards</div>
<div style="RIGHT: auto">Babu<VAR id=yui-ie-cursor></VAR></div>
<div style="RIGHT: auto"> </div>
<div style="RIGHT: auto"> </div>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">
<DIV style="RIGHT: auto" dir=ltr><FONT size=2 face=Arial>
<DIV style="BORDER-BOTTOM: #ccc 1px solid; BORDER-LEFT: #ccc 1px solid; PADDING-BOTTOM: 0px; LINE-HEIGHT: 0; MARGIN: 5px 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; HEIGHT: 0px; FONT-SIZE: 0px; BORDER-TOP: #ccc 1px solid; BORDER-RIGHT: #ccc 1px solid; PADDING-TOP: 0px" class=hr contentEditable=false readonly="true"></DIV><B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> "WBrown@e1b.org" <WBrown@e1b.org><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> babu dheen <babudheen@yahoo.co.in> <BR><B><SPAN style="FONT-WEIGHT: bold">Cc:</SPAN></B> "bind-users@lists.isc.org" <bind-users@lists.isc.org> <BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Monday, 25 March 2013 7:48 PM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: Suspecious DNS traffic<BR></FONT></DIV><BR>babu dheen wrote on 03/25/2013 12:21:30 PM:<BR><BR>> Still not convinced because if i need to allow >1024 port from our <BR>> DNS server to
external world(internet).. where is the security?<BR><BR>Total security requires total isolation. It is a matter of accepting some <BR>risks to perform the needed task.<BR><BR>> I beleive we just need to allow TCP and UDP 53 from our DNS server <BR>> to internet(any) which is already done. Not sure why we have to open<BR>> non standard port from our DNS server to internet?<BR>> <BR>> Kindly provide some details.<BR><BR>You send request via UDP from random high port to an authoritative server. <BR>Answer is too large to fit in UDP packet, so it responds via TCP to the <BR>source port of the request (random high port from above). If you block <BR>that TCP connection, you cannot receive answer to your query.<BR><BR>Another reason for TCP replies is DNS Response Rate Limiting (RRL). <BR><BR>Some "modern" stateful firewalls understand DNS and if there is a UDP <BR>packet sent to port 53, it will accept TCP connections back from the
<BR>destination address on port 53 to the source address/port.<BR><BR><BR><BR><BR><BR><BR>Confidentiality Notice: <BR>This electronic message and any attachments may contain confidential or <BR>privileged information, and is intended only for the individual or entity <BR>identified above as the addressee. If you are not the addressee (or the <BR>employee or agent responsible to deliver it to the addressee), or if this <BR>message has been addressed to you in error, you are hereby notified that <BR>you may not copy, forward, disclose or use any part of this message or any <BR>attachments. Please notify the sender immediately by return e-mail or <BR>telephone and delete this message from your system.<BR><BR><BR></DIV></DIV></div></body></html>