Named drops those ports as they can be used in reflection attacks. Sane NAT developers avoid those ports for just that reason. The full list is below.
static int ns_client_dropport(in_port_t port) { switch (port) { case 7: /* echo */ case 13: /* daytime */ case 19: /* chargen */ case 37: /* time */ return (DROPPORT_REQUEST); case 464: /* kpasswd */ return (DROPPORT_RESPONSE); } return (DROPPORT_NO); } > On 8 Jun 2019, at 7:56 am, Blake Hudson <bl...@ispn.net> wrote: > > Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but have > also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated from > specific privileged source ports but not others? > > Example: > > [root@ns ~]# dig +short -b 127.0.0.1 @localhost google.com > 172.217.6.110 > [root@ns ~]# dig +short -b 127.0.0.1#10000 @localhost google.com > 172.217.6.110 > [root@ns ~]# dig +short -b 127.0.0.1#50 @localhost google.com > 172.217.6.110 > [root@ns ~]# dig +short -b 127.0.0.1#19 @localhost google.com > ;; connection timed out; no servers could be reached > [root@ns ~]# dig +short -b 127.0.0.1#14 @localhost google.com > 172.217.6.110 > [root@ns ~]# dig +short -b 127.0.0.1#13 @localhost google.com > ;; connection timed out; no servers could be reached > > > While it would be ideal for clients to use source port randomization and > initiate queries from random ephemeral ports, I don't control all the clients > or the NAT routers in between the client and the server. Queries using a > source port of 13 and 19 are dropped while queries from port 10000, 50, and > 14 are answered. This has been confirmed via a network capture as well. I > checked the ARM, but didn't see what knob(s) I could tweak to control this > behavior. Anyone know? > > Thanks, > --Blake > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users