Firewall Wizards mailing list archives
Re: Interesting DNS Traffic -Reply
From: John McDermott <jjm () jkintl com>
Date: Thu, 3 Jun 99 08:37:29
--- On Wed, 02 Jun 1999 15:43:54 +0100 Einar EINARSSON <einar.einarsson () iea org> wrote:
Robert Graham <robert_david_graham () yahoo com>5/31/99 11:38 pm >>>The DNS traffic from low ports is somewhat normal, from my own experience. I see LOTs of DNS traffic coming from ports lower than 1024 from machines browsing our website. Here are some example ports:I thought DNS lookup 'was supposed' to use a random source port above 1023. So why are some implementations using a source port below 1023 and some above 1023 ? I guess there is nothing stoping the programmer, but wouldn't it be simpler, at least for those writing packet filters, if this stuff was implemented a certain way and not the other ?
I found Windows 95 to be regularly using "low" ports for DNS. I am not a protocol lawyer, but:
From RFC 1122
4.1.3.1 Ports UDP well-known ports follow the same rules as TCP well-known ports; see Section 4.2.2.1 below. ... 4.2.2.1 Well-Known Ports: RFC-793 Section 2.7 DISCUSSION: TCP reserves port numbers in the range 0-255 for "well-known" ports, used to access services that are standardized across the Internet. The remainder of the port space can be freely allocated to application processes. Current well-known port definitions are listed in the RFC entitled "Assigned Numbers" [INTRO:6]. A prerequisite for defining a new well- known port is an RFC documenting the proposed service in enough detail to allow new implementations. Some systems extend this notion by adding a third subdivision of the TCP port space: reserved ports, which are generally used for operating-system-specific services. For example, reserved ports might fall between 256 and some system-dependent upper limit. Some systems further choose to protect well-known and reserved ports by permitting only privileged users to open TCP connections with those port values. This is perfectly reasonable as long as the host does not assume that all hosts protect their low-numbered ports in this manner. Also, I found no references to port usage (byond 53) in 1123, 1035, 1035, 1535, or 1536. Given the statement that "...the host does not assume that all hosts protect their low-numbered ports in this manner." I think humans and firewalls should follow that too, probably. IOW, this usage of low ports looks like legal behavior.
Einar
--john ------------------------------------- Name: John McDermott VOICE: +1 505/377-6293 FAX +1 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Interesting DNS Traffic, (continued)
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
- Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
- Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
- Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)
- Re: Interesting DNS Traffic Robert Graham (Jun 01)