> On 11 Jan 2001, at 11:47, Jim Reid wrote:
>
> > >>>>> "ed" == ed <[EMAIL PROTECTED]> writes:
> >
> > ed> This issue is important to me because I teach both dns and
> > ed> firewall courses. Normally, I would suggest to students that
> > ed> they block all ports below 1024 (except 53) for packets sent
> > ed> to the dns server. Now, this data makes me wonder if we're
> > ed> turning away good guys or bad guys.
> >
> > ed> What's the official position on resolvers and ephemeral ports?
> >
> > I don't think there is one.
> <snip>
> > And what if a privileged UNIX application uses a port
> > number less than 1024 to query the name server?
>
> This is a compelling argument. You've convinced me. We
> simply cannot filter dns packets on the source port.
>
> Thanks,
>
> Ed
>
>
The nameserver it self has a short list of ports to silently
reject queries from. i.e. don't send a query from echo.
Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
