[Bug 262387] New: DNS Server in Yast used non standard source TCP Port 11076 in lieu of IANA DNS Resolution Standard of TCP/UDP 53
https://bugzilla.novell.com/show_bug.cgi?id=262387 Summary: DNS Server in Yast used non standard source TCP Port 11076 in lieu of IANA DNS Resolution Standard of TCP/UDP 53 Product: openSUSE 10.2 Version: Final Platform: i386 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alpha096@tpg.com.au QAContact: jsrain@novell.com DNS resolution has been a long standing source and destination port of TCP/UDP 53. Whilst the destination port is observed by DNS Server in Yast it is expected that the source port should also confirm to TCP/UDP 53 rather than TCP 1107 Whilst it is understood there is no specific requirement for the source port to be TCP/UDP 53 it is widely assumed and relied upon by Hardware Devices, Firewalls, IDS/IDP. The issue is that is a workstation will use TCP/UDP 53 as a source Port and hence comply with assumed standards, however the DNS server which provides DNS resolution does not. Ports above 1024 are generally regarded as optional port assignment and are confined to specific applications with specific requirements. It is not unusual for all ports above 1024 to be treated as potential security risks and they are heavily monitored by institutions where there is a strong emphasis on security. There may be operational reasons why Port TCP/UDP 53 is not used as a source Port, however it does complicate the establishment of Hardware security where common conventions are always assumed. For discussion. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=262387 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |locilka@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=262387 locilka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|locilka@novell.com |bnc-team-screening@forge.provo.novell.com ------- Comment #1 from locilka@novell.com 2007-04-10 07:59 MST ------- Wrong assignment. YaST DNS-Server doesn't configure TCP/UDP ports to listen on. If it does so, it's on user's request. YaST DNS-Server also doesn't configure TCP/UDP ports that are accepted for DNS query from client. But maybe I have missed the point... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=262387 ------- Comment #2 from alpha096@tpg.com.au 2007-04-10 16:17 MST ------- Yes you have missed the point. I have no issue in setting up a DNS server to perform lookps for all other PC on the Lan. For the DNS server itself, to enable it to perform this it sends out traffic source port 1107 and destination Port 53 of the online server. The issue is the traffic that the in house DNS Server sends out is not source port 53 to destination Port 53. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=262387 ug@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Comment #4 from ug@novell.com 2007-04-11 02:13 MST ------- the ISC itself has changed the default from query source port 53 to a highport with bind 8.1 We followed their example with our default configuration. I don't see a need to change the default to port 53 and would prefere to stay close to the bind default configuration, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=262387 ------- Comment #5 from alpha096@tpg.com.au 2007-04-11 03:17 MST ------- Uwe, I thought the DNS server would be intertwined functionally with DHCP, HTTP etc server modules and I am in total agreement with your logic not to change anything especially if dependant modules , I.E bind are always going to be (correct in everything they do). Thank you for the notice. I can always write IDS script tools that monitor DNS to only look at source port 11076 and destination 53. I will advise a IDS Hardware Managers of this issue so that they can account for this issue in their Hardware. This has been of great value. If it did not concern DNS traffic there would be no issue, however DNS is extensively, and beaten into you at all security seminars like SANS. In respect to #1 I would appreciate if you could enlarge Lukas's understanding of this very small part of the TCP/IP Protocol. Lets leave ICMP, Netbios for other issues. ;-) Scott -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com