OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: W2K DNS port usage changes
From: Russ (Russ.CooperRC.ON.CA)
Date: Tue Mar 21 2000 - 17:11:42 CST

Firstly, I apologize for not being clearer, I am referring to the source
port used by a W2K DNS Server to do DNS STD QRY lookups.

Numerous people have pointed out that this has been implemented in Bind
since early version of Bind8. Marc Slemko <marcsznep.com> provided this
reference from the named.conf man page of 8.2.2; 

----
If the server doesn't know the answer to a question, it will query oth-
er nameservers.  query-source specifies the address and port used for
such queries.  If address is * or is omitted, a wildcard IP address (
INADDR_ANY) will be used.  If port is * or is omitted, a random unpriv-
ileged port will be used.  The default is
       query-source address * port *;
----

Jeff Deitz <JeffDVSP.com> pointed me to this little tidbit in RFC2181
"Clarifications to the DNS Specification".

----
4.2. Port Number Selection

Replies to all queries must be directed to the port from which they
were sent.  When queries are received via TCP this is an inherent
part of the transport protocol.  For queries received by UDP the
server must take note of the source port and use that as the
destination port in the response.  Replies should always be sent from
the port to which they were directed.  Except in extraordinary
circumstances, this will be the well known port assigned for DNS
queries [RFC1700].
----

And Alan Ramsbottom <ACRals.co.uk> pointed out that he first noticed this
same behavior in NT 4.0 SP4 when he added a second IP address to a box
already functioning as a DNS server. When the second IP address was added,
DNS started using random high ports, when it was removed, it reverted to UDP
53 (or a port specified by the SendOnNonDNSPort registry parameter).

Note:

I apologize for not being up on Cisco IOS existing capabilities in recent
versions. Reflexive ACLs are part of the base IOS (i.e. does not require you
purchase the IOS Firewall software), so could be deemed as widely available
(granted, they must have upgraded if they have an older router, or be able
to upgrade, something I personally am not able to do). This is not small
fact. These capabilities, albeit not perfect, can certainly be used to
handle the issues I mentioned.

From RFC2181, it would appear that recent Bind implementations disagree with
it...as does W2K. Since both default to using ports deemed usable only in
"extraordinary circumstances", someone should revise the RFC.

Chris Brenton's statement;

>IMHO this is a firewall problem, not a Win2K problem. If you are using a
>decent perimeter security device, this is a non-issue.

...is like saying that nobody needs paper road maps any more since OnStar
(or similar GPS-based immediate response systems in cars) now exist.

Despite its rather obvious value, Reflexive ACLs are time-based windows of
opportunity. There's a difference between them and restricting traffic to
and from a single specifically designated port.

Cheers,
Russ - NTBugtraq Editor