Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Nameserver behind gateway - ports
On Tuesday 05 February 2002 14:17, you wrote:

> I've a problem with the udp-ports for dns (53); this is my network:
>
> INTERNET <--> Gateway <--> Public_Server (DNS-Server)
>
> The gateway is a packet filter (running iptables). My nameserver are
> behind the gateway and they are configured as primary dns. The
> zonetransfer is ok (allow requests tcp on port 53) but my problems are
> the needed udp-ports. At the moment the following ports are open:
>
> Request: client above 1023 -> server (named) port 53 UDP
>
> Response: server port 53 -> client port request was sent from UDP
>
> name server to name server: 53 -> 53 53 <- 53 UDP
>
> Everything in my gateway is logged (if a rule doesn't match) and I've
> many requests from clients using an UDP-port smaller 1024 for
> connections to port 53! Sometimes are reserved ports used:
>
> Request: client above 137 -> server (named) port 53 UDP
>
> Is this OK?
> Which ports do I really need and where can I find a short description?
> I tried to read and understand the rfc's but ...

Why are you worried what ports the client's are using, when quering port 53?
I can understand if you're filtering traffic from external DNS servers, that
you might permit traffic from port 53 to 53 and 1024: but surely it's
nonsense to assume the clients of your public DNS server follow the UNIX
privileged ports convention.

Rob

Rob

< Previous Next >
References