Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting DNS Traffic -Reply

From: John McDermott <jjm () jkintl com>
Date: Thu, 3 Jun 99 08:37:29 

--- On Wed, 02 Jun 1999 15:43:54 +0100  Einar EINARSSON 
<einar.einarsson () iea org> wrote:


Robert Graham <robert_david_graham () yahoo com>

5/31/99  11:38 pm >>>


The DNS traffic from low ports is somewhat normal, from
my own experience. I see LOTs of DNS traffic coming from
ports lower than 1024 from machines browsing our website.
Here are some example ports:


I thought DNS lookup 'was supposed' to use a random
source port above 1023. So why are some implementations
using a source port below 1023 and some above 1023 ? 
I guess there is nothing stoping the programmer, but
wouldn't it be simpler, at least for those writing packet filters,
if this stuff was implemented a certain way and not the other
? 


I found Windows 95 to be regularly using "low" ports for DNS.

I am not a protocol lawyer, but:


From RFC 1122


  4.1.3.1  Ports

            UDP well-known ports follow the same rules as TCP well-known
            ports; see Section 4.2.2.1 below.
...
   4.2.2.1  Well-Known Ports: RFC-793 Section 2.7

            DISCUSSION:
                 TCP reserves port numbers in the range 0-255 for
                 "well-known" ports, used to access services that are
                 standardized across the Internet.  The remainder of the
                 port space can be freely allocated to application
                 processes.  Current well-known port definitions are
                 listed in the RFC entitled "Assigned Numbers"
                 [INTRO:6].  A prerequisite for defining a new well-
                 known port is an RFC documenting the proposed service
                 in enough detail to allow new implementations.

                 Some systems extend this notion by adding a third
                 subdivision of the TCP port space: reserved ports,
                 which are generally used for operating-system-specific
                 services.  For example, reserved ports might fall
                 between 256 and some system-dependent upper limit.
                 Some systems further choose to protect well-known and
                 reserved ports by permitting only privileged users to
                 open TCP connections with those port values.  This is
                 perfectly reasonable as long as the host does not
                 assume that all hosts protect their low-numbered ports
                 in this manner.

Also, I found no references to port usage (byond 53) in 1123, 1035, 1035, 
1535, or 1536.

Given the statement that "...the host does not assume that all hosts protect 
their low-numbered ports in this manner." I think humans and firewalls should 
follow that too, probably. IOW, this usage of low ports looks like legal 
behavior.



Einar






--john



-------------------------------------
Name: John McDermott
VOICE: +1 505/377-6293 FAX +1 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: