Thank you Mark. A popular NAT appliance manufacturer has some logic that
attempts to keep the translated source port close to the untranslated
source port which can sometimes result in the behavior I've described
where DNS queries use the well known source port of protocols that are
abuse prone:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/nat-basics.html#ID-2090-00000438
I don't see a configuration option within BIND to change that behavior,
just a BIND compile time option (which I probably won't change since
software and upgrades are managed via yum/apt). I will look for another
avenue to resolve this issue.
--Blake
Mark Andrews wrote on 6/7/2019 9:44 PM:
Named drops those ports as they can be used in reflection attacks.
Sane NAT developers avoid those ports for just that reason. The
full list is below.
static int
ns_client_dropport(in_port_t port) {
switch (port) {
case 7: /* echo */
case 13: /* daytime */
case 19: /* chargen */
case 37: /* time */
return (DROPPORT_REQUEST);
case 464: /* kpasswd */
return (DROPPORT_RESPONSE);
}
return (DROPPORT_NO);
}
On 8 Jun 2019, at 7:56 am, Blake Hudson <bl...@ispn.net> wrote:
Can someone explain why BIND (I'm using bind-9.9.4-73.el7_6.x86_64 but have
also tried 9.10.3-P4-Ubuntu) seems to ignore DNS queries initiated from
specific privileged source ports but not others?
Example:
[root@ns ~]# dig +short -b 127.0.0.1 @localhost google.com
172.217.6.110
[root@ns ~]# dig +short -b 127.0.0.1#10000 @localhost google.com
172.217.6.110
[root@ns ~]# dig +short -b 127.0.0.1#50 @localhost google.com
172.217.6.110
[root@ns ~]# dig +short -b 127.0.0.1#19 @localhost google.com
;; connection timed out; no servers could be reached
[root@ns ~]# dig +short -b 127.0.0.1#14 @localhost google.com
172.217.6.110
[root@ns ~]# dig +short -b 127.0.0.1#13 @localhost google.com
;; connection timed out; no servers could be reached
While it would be ideal for clients to use source port randomization and
initiate queries from random ephemeral ports, I don't control all the clients
or the NAT routers in between the client and the server. Queries using a source
port of 13 and 19 are dropped while queries from port 10000, 50, and 14 are
answered. This has been confirmed via a network capture as well. I checked the
ARM, but didn't see what knob(s) I could tweak to control this behavior. Anyone
know?
Thanks,
--Blake
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
