OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: W2K DNS port usage changes
From: Marc Slemko (marcsZNEP.COM)
Date: Tue Mar 21 2000 - 16:29:11 CST

On Tue, 21 Mar 2000, Russ wrote:

> Windows 2000 Server or Advanced Server DNS Service uses dynamic UDP ports
> (above 1023) for all standard query messages.
>
> For a W2K DNS server which is facing the Internet (acting as primary for
> zones, or performing root server lookups for client requests) being
> protected (at least in part) by router Access Control Lists (ACLs), it must
> now permit unrestricted UDP inbound access to any high UDP port on the W2K
> DNS box in order for it to work.

Current versions of BIND default to the same behaviour. From the
8.2.2 named.conf man page:

       If the server doesn't know the answer to a question, it will query oth-
       er nameservers. query-source specifies the address and port used for
       such queries. If address is * or is omitted, a wildcard IP address (
       INADDR_ANY) will be used. If port is * or is omitted, a random unpriv-
       ileged port will be used. The default is
             query-source address * port *;

Using a random source port for queries actually improves security a fair
bit by adding that much more to be guessed to be able to spoof replies.
If you send all queries out on port 53, then spoofing replies to the
server is a lot easier because you already know what port to send them to,
and the other info you need is all too easy to guess or predict in many
cases.

But yes, it would be wise for them to have a working knob to change the
behaviour. But the default is not only fine, but good.