Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Nameserver behind gateway - ports
  • From: Stefan_Walther@xxxxxxxxxxxx
  • Date: Tue, 5 Feb 2002 15:39:01 +0100
  • Message-id: <OF4F4CED72.B172B8AA-ONC1256B57.005006C1-C1256B57.005056CC@xxxxxxxxxxxx>
>Hi List,
>
>I've a problem with the udp-ports for dns (53); this is my network:
>
>INTERNET <--> Gateway <--> Public_Server (DNS-Server)
>
>The gateway is a packet filter (running iptables). My nameserver are
>behind the gateway and they are configured as primary dns. The
>zonetransfer is ok (allow requests tcp on port 53) but my problems are
>the needed udp-ports. At the moment the following ports are open:
>
>Request: client above 1023 -> server (named) port 53 UDP
>

ACK

>
>
>Response: server port 53 -> client port request was sent from UDP
>
>name server to name server: 53 -> 53 53 <- 53 UDP
>

ACk, only an old bind (below v8) is using 53 > 53 by default.

>Everything in my gateway is logged (if a rule doesn't match) and I've
>many requests from clients using an UDP-port smaller 1024 for
>connections to port 53! Sometimes are reserved ports used:
>
>Request: client above 137 -> server (named) port 53 UDP

It seems there are some windows boxes in your net 137 >> NETBIOS

>
>Is this OK?
>Which ports do I really need and where can I find a short description?
>I tried to read and understand the rfc's but ...
>

You need to allow nameservice request from 1024 (and above) to 53 by using
tcp. you do not need to use udp. Still works without udp.

>
>Thanks for help.
>
>
>Regards
>
>
>Ruediger Doerlich

>InterConcept GmbH
>Drosselweg 27
>D-61462 Koenigstein
>
>
>--
>To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>For additional commands, e-mail: suse-security-help@xxxxxxxx



Best Regards,
MfG.

Stefan Walther
stefan_walther@xxxxxxxxxxxx
stefan.walther@xxxxxxx
dienst.: +4930/89786448
Funk: +49172/3943961

< Previous Next >
This Thread
Follow Ups