On Sun, 8 Jul 2001, Security wrote:
> Hi all,
>
> I just wanted to confirm or deny:
>
> When DNS is doing a large query or a zone transfer are the packets
> sourced from port 53 with obviously a destination port of 53?
No, the source port can vary. Don't forget that if UDP isn't working, DNS
is supposed to try TCP as well- that's not a normal situation these days,
but it's the third legitimate use of TCP for DNS.
Note that the query-source option in BIND applies *only* to UDP queries'
addresses and/or ports. TCP queries still use any IP address and a random
high source port. With transfer-source, you only get to specify an
address not a port.
The good news is that with TCP, you at least get transport layer state,
so if you're doing firewall rules for an internal caching-only nameserver
to talk to an external nameserver, you only need let establised TCP
connections back in.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
