Re: BIND ignores queries from specific privileged source ports

Fri, 07 Jun 2019 19:45:31 -0700 

Named drops those ports as they can be used in reflection attacks.
Sane NAT developers avoid those ports for just that reason.  The
full list is below.

static int
ns_client_dropport(in_port_t port) {
        switch (port) {
        case 7: /* echo */
        case 13: /* daytime */
        case 19: /* chargen */
        case 37: /* time */
                return (DROPPORT_REQUEST);
        case 464: /* kpasswd */
                return (DROPPORT_RESPONSE);
        }
        return (DROPPORT_NO);
}


> On 8 Jun 2019, at 7:56 am, Blake Hudson <bl...@ispn.net> wrote:
> 
> Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but have 
> also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated from 
> specific privileged source ports but not others?
> 
> Example:
> 
> [root@ns ~]# dig +short -b 127.0.0.1 @localhost google.com
> 172.217.6.110
> [root@ns ~]# dig +short -b 127.0.0.1#10000 @localhost google.com
> 172.217.6.110
> [root@ns ~]# dig +short -b 127.0.0.1#50 @localhost google.com
> 172.217.6.110
> [root@ns ~]# dig +short -b 127.0.0.1#19 @localhost google.com
> ;; connection timed out; no servers could be reached
> [root@ns ~]# dig +short -b 127.0.0.1#14 @localhost google.com
> 172.217.6.110
> [root@ns ~]# dig +short -b 127.0.0.1#13 @localhost google.com
> ;; connection timed out; no servers could be reached
> 
> 
> While it would be ideal for clients to use source port randomization and 
> initiate queries from random ephemeral ports, I don't control all the clients 
> or the NAT routers in between the client and the server. Queries using a 
> source port of 13 and 19 are dropped while queries from port 10000, 50, and 
> 14 are answered. This has been confirmed via a network capture as well. I 
> checked the ARM, but didn't see what knob(s) I could tweak to control this 
> behavior. Anyone know?
> 
> Thanks,
> --Blake
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to