...on 2022-05-16 17:57:06, Stuart Henderson wrote: > On 2022-05-16, Alexander Bochmann <[email protected]> wrote: > > I seem to remember firewall rules that allowed only udp/53 as _source_ > > port > > for DNS traffic. > Such rules often existed to cover replies, before the days > of stateful firewalls.
I admit this is rather useless trivia, but a copy of an old (1999) ORA bookshelf CD with the DNS & BIND book has this: > BIND 4 name servers always send queries from port 53, the well-known port > for DNS servers, to port 53. Resolvers, on the other hand, usually send > queries from high-numbered ports (above 1023) to port 53. Though name > servers clearly have to send their queries to the DNS port on a remote host, > there's no reason they have to send the queries from the DNS port. And, > wouldn't you know it, BIND 8 name servers don't send queries from port 53 by > default. Instead, they send queries from high-numbered ports, same as > resolvers do. > > This can cause problems with packet filtering firewalls that have been > configured to allow server-to-server traffic but not resolver-to-server > traffic, because they typically expect server-to-server traffic to originate > from port 53 and terminate at port 53. Also some old NFS servers required that client traffic originated from ports < 1024 in order to "prove" that the client service was running with root privileges. I assume that some other stuff worked on that kind of heuristics too, but I don't remember about any good examples. Alex.
