Firewall Wizards mailing list archives
Re: Interesting DNS Traffic
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Tue, 1 Jun 1999 13:09:10 -0700
However, I see DNS requests and WWW requests come in where the souce port on the packet originates in the 800 range rather than the standard 1024-65535 range. Therefore the reply back is denied. Example. xxx.xxx.xxx.xxx (879) --> 204.253.83.10 (53) meaning a packet came in from the internet going to my DNS, however the source port of the packet was 879.
This means someone has an internal DNS server behind a Firewall-1 that is doing hide NAT, and you've borken his ability to do DNS lookups to your site. My opinion is that trying to derive any kind of security posture from source ports of machines you don't control is pointless. On the other hand, you aren't the only one to break FW-1 sites this way, so they'll eventually learn and change their DNS server to a static translation, and you'll see the traffic with a source port of 53. Ryan
Current thread:
- Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
- Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
- Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
- Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)