|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Interesting DNS Traffic -Reply
John McDermott (jjm
jkintl.com)
Thu, 3 Jun 99 08:37:29
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: MIKE SHAW: "Re: Firewall RISKS"
- Previous message: Andrew Gilbert: "Re: Firewall RISKS"
- Maybe in reply to: Robert Graham: "Firewall RISKS"
--- On Wed, 02 Jun 1999 15:43:54 +0100 Einar EINARSSON
<einar.einarssoniea.org> wrote:
>>>> Robert Graham <robert_david_grahamyahoo.com>
>5/31/99 11:38 pm >>>
>
>>The DNS traffic from low ports is somewhat normal, from
>>my own experience. I see LOTs of DNS traffic coming from
>>ports lower than 1024 from machines browsing our website.
>>Here are some example ports:
>
>I thought DNS lookup 'was supposed' to use a random
>source port above 1023. So why are some implementations
>using a source port below 1023 and some above 1023 ?
>I guess there is nothing stoping the programmer, but
>wouldn't it be simpler, at least for those writing packet filters,
>if this stuff was implemented a certain way and not the other
>?
I found Windows 95 to be regularly using "low" ports for DNS.
I am not a protocol lawyer, but:
>From RFC 1122
4.1.3.1 Ports
UDP well-known ports follow the same rules as TCP well-known
ports; see Section 4.2.2.1 below.
...
4.2.2.1 Well-Known Ports: RFC-793 Section 2.7
DISCUSSION:
TCP reserves port numbers in the range 0-255 for
"well-known" ports, used to access services that are
standardized across the Internet. The remainder of the
port space can be freely allocated to application
processes. Current well-known port definitions are
listed in the RFC entitled "Assigned Numbers"
[INTRO:6]. A prerequisite for defining a new well-
known port is an RFC documenting the proposed service
in enough detail to allow new implementations.
Some systems extend this notion by adding a third
subdivision of the TCP port space: reserved ports,
which are generally used for operating-system-specific
services. For example, reserved ports might fall
between 256 and some system-dependent upper limit.
Some systems further choose to protect well-known and
reserved ports by permitting only privileged users to
open TCP connections with those port values. This is
perfectly reasonable as long as the host does not
assume that all hosts protect their low-numbered ports
in this manner.
Also, I found no references to port usage (byond 53) in 1123, 1035, 1035,
1535, or 1536.
Given the statement that "...the host does not assume that all hosts protect
their low-numbered ports in this manner." I think humans and firewalls should
follow that too, probably. IOW, this usage of low ports looks like legal
behavior.
>
>Einar
>
>
--john
-------------------------------------
Name: John McDermott
VOICE: +1 505/377-6293 FAX +1 505/377-6313
E-mail: John McDermott <jjmjkintl.com>
Writer and Computer Consultant
-------------------------------------
- Next message: MIKE SHAW: "Re: Firewall RISKS"
- Previous message: Andrew Gilbert: "Re: Firewall RISKS"
- Maybe in reply to: Robert Graham: "Firewall RISKS"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT