[Dshield] DNS Firewalling: Back to basics

stephane nasdrovisky stephane.nasdrovisky at paradigmo.com
Thu Oct 28 16:16:57 GMT 2004


Commerco WebMaster wrote:

> I have recently been observing an increasing number of attempts to 
> access DNS by port ranges below 1024 to port 53 in the logs (e.g., 
> port 485 inbound to port 53 on the local DNS servers).  I have always 
> viewed such requests as problem requests.  In older (and I fear, 
> simpler) times, as I recall, we could presume the following general 
> matrix was true for both UDP and TCP DNS traffic:
>
> External Request Patterns (when the DNS question is for us)
> Expected Incoming Traffic port patterns:
> 53 -> 53 - OK
> *GT 1023* -> 53 - OK
> Expected Outgoing Traffic port patterns:
> 53 -> 53 OK
> 53 -> *GT 1023 OK*
>
> Internal Request Patterns (when we ask the DNS question)
> Expected Incoming Traffic port patterns:
> 53 -> 53 - OK
> 53 -> GT 1023 - OK
> Expected Outgoing Traffic port patterns:
> 53 -> 53 OK
> GT 1023 -> 53 OK
>
> Everything else is suspect.
>
> Presuming I put together the matrix above properly, do these general 
> rules of thumb for DNS server firewalling still apply or did I miss a 
> memo? :-)

When using some nat on some firewalls (i.e. chekpoint's firewall-1), 
source ports  <1024 (i.e. 53) are natted to some ports in the range 
500-800, replacing gt 1023 by something like gt 499 would be fine for 
those requests.
The goal of this strange behaviour is to keep port<1024 (usually 
restricted to root) when the original port is <1024. (this happens when 
using hide nat, which means when you want to have all your network 
behind a single ip (i.e. your firewall)




More information about the list mailing list