Hi List,
I've a problem with the udp-ports for dns (53); this is my network:
INTERNET <--> Gateway <--> Public_Server (DNS-Server)
The gateway is a packet filter (running iptables). My nameserver are behind the gateway and they are configured as primary dns. The zonetransfer is ok (allow requests tcp on port 53) but my problems are the needed udp-ports. At the moment the following ports are open:
Request: client above 1023 -> server (named) port 53 UDP
ACK
Response: server port 53 -> client port request was sent from UDP
name server to name server: 53 -> 53 53 <- 53 UDP
ACk, only an old bind (below v8) is using 53 > 53 by default.
Everything in my gateway is logged (if a rule doesn't match) and I've many requests from clients using an UDP-port smaller 1024 for connections to port 53! Sometimes are reserved ports used:
Request: client above 137 -> server (named) port 53 UDP
It seems there are some windows boxes in your net 137 >> NETBIOS
Is this OK? Which ports do I really need and where can I find a short description? I tried to read and understand the rfc's but ...
You need to allow nameservice request from 1024 (and above) to 53 by using tcp. you do not need to use udp. Still works without udp.
Thanks for help.
Regards
Ruediger Doerlich
InterConcept GmbH Drosselweg 27 D-61462 Koenigstein
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Best Regards, MfG. Stefan Walther stefan_walther@gehag-dsk.de stefan.walther@gmx.net dienst.: +4930/89786448 Funk: +49172/3943961