Hi List, I've a problem with the udp-ports for dns (53); this is my network: INTERNET <--> Gateway <--> Public_Server (DNS-Server) The gateway is a packet filter (running iptables). My nameserver are behind the gateway and they are configured as primary dns. The zonetransfer is ok (allow requests tcp on port 53) but my problems are the needed udp-ports. At the moment the following ports are open: Request: client above 1023 -> server (named) port 53 UDP Response: server port 53 -> client port request was sent from UDP name server to name server: 53 -> 53 53 <- 53 UDP Everything in my gateway is logged (if a rule doesn't match) and I've many requests from clients using an UDP-port smaller 1024 for connections to port 53! Sometimes are reserved ports used: Request: client above 137 -> server (named) port 53 UDP Is this OK? Which ports do I really need and where can I find a short description? I tried to read and understand the rfc's but ... Thanks for help. Regards Ruediger Doerlich InterConcept GmbH Drosselweg 27 D-61462 Koenigstein
On Tuesday 05 February 2002 14:17, you wrote:
I've a problem with the udp-ports for dns (53); this is my network:
INTERNET <--> Gateway <--> Public_Server (DNS-Server)
The gateway is a packet filter (running iptables). My nameserver are behind the gateway and they are configured as primary dns. The zonetransfer is ok (allow requests tcp on port 53) but my problems are the needed udp-ports. At the moment the following ports are open:
Request: client above 1023 -> server (named) port 53 UDP
Response: server port 53 -> client port request was sent from UDP
name server to name server: 53 -> 53 53 <- 53 UDP
Everything in my gateway is logged (if a rule doesn't match) and I've many requests from clients using an UDP-port smaller 1024 for connections to port 53! Sometimes are reserved ports used:
Request: client above 137 -> server (named) port 53 UDP
Is this OK? Which ports do I really need and where can I find a short description? I tried to read and understand the rfc's but ...
Why are you worried what ports the client's are using, when quering port 53? I can understand if you're filtering traffic from external DNS servers, that you might permit traffic from port 53 to 53 and 1024: but surely it's nonsense to assume the clients of your public DNS server follow the UNIX privileged ports convention. Rob Rob
Request: client above 1023 -> server (named) port 53 UDP
Response: server port 53 -> client port request was sent from UDP
name server to name server: 53 -> 53 53 <- 53 UDP
Everything in my gateway is logged (if a rule doesn't match) and I've many requests from clients using an UDP-port smaller 1024 for connections to port 53! Sometimes are reserved ports used:
You're assuming that all the machines connecting to your dns server will follow the unix conventions of reserved ports. You should not worry about which ports the connecting clients are coming from but rather simply allow requests to UDP 53 from all ports. Not every request is going to come from an rfc compliant resolver.
participants (3)
-
ic_admin
-
ksemat@wawa.eahd.or.ug
-
Robert Davies