>From scanning firewall logs, I've noticed that some dns
resolvers (or attackers) are using ports below 1024 when
talking to a dns server. I've seen packets coming from
ports 646, 665, 727, 737, 744, 904, and 960. These are
a very small percentage of total dns queries however.
This issue is important to me because I teach both dns
and firewall courses. Normally, I would suggest to students
that they block all ports below 1024 (except 53) for packets
sent to the dns server. Now, this data makes me wonder if
we're turning away good guys or bad guys.
What's the official position on resolvers and ephemeral ports?
Ed Sawicki
