Firewall Wizards mailing list archives

Re: Interesting DNS Traffic

From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Tue, 1 Jun 1999 13:09:10 -0700

However, I see DNS  requests and WWW requests come in where the souce
port on the packet originates in the 800 range rather than the
standard 1024-65535 range. Therefore the reply back is denied.

Example.

xxx.xxx.xxx.xxx (879) -->   204.253.83.10 (53)

meaning a packet came in from the internet going to my DNS, however
the source port of the packet was 879.


This means someone has an internal DNS server behind a Firewall-1
that is doing hide NAT, and you've borken his ability to do DNS lookups
to your site.

My opinion is that trying to derive any kind of security posture from
source ports of machines you don't control is pointless.

On the other hand, you aren't the only one to break FW-1 sites
this way, so they'll eventually learn and change their DNS
server to a static translation, and you'll see the traffic
with a source port of 53.

                    Ryan

Current thread:

Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
  - Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
  - Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
  - Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
  - Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)