[dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Stephane Bortzmeyer 
On Tue, Jun 12, 2012 at 03:32:56AM +,
 Vernon Schryver v...@rhyolite.com wrote 
 a message of 76 lines which said:

 Joe and Joan should be using their ISP's validating, load balancing,
 well (or at least somewhat) maintained DNS servers, just as they
 should be using their ISP's SMTP systems.

A strong NO here. Politically, it would be a big nail in Net
Neutrality's coffin. Also, many ISP have lying resolvers and customers
should NOT use them. From a security perspective, it would be
catastrophic since the last mile is not secured, so the only safe way
to run DNSSEC is to validate locally (which requires access to port 53
if the ISP resolver is lying).

I leave these proposals to MAAWG and the Chinese government.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Stephane Bortzmeyer 
On Sun, Jun 10, 2012 at 01:25:06PM +0200,
 DTNX Postmaster postmas...@dtnx.net wrote 
 a message of 37 lines which said:

 Google is known to be obsessed with latency, for example, so I
 wouldn't be suprised if they deliberately request ANY and then parse
 and cache the results for a multitude of uses.

But that's speculation. I checked the ANY requests coming into .FR
name servers and Google (which should be an important user) does not
appear.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Warren Kumari 

On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote:

 On Tue, Jun 12, 2012 at 03:32:56AM +,
 Vernon Schryver v...@rhyolite.com wrote 
 a message of 76 lines which said:
 
 Joe and Joan should be using their ISP's validating, load balancing,
 well (or at least somewhat) maintained DNS servers, just as they
 should be using their ISP's SMTP systems.
 
 A strong NO here.

+lots.

 Politically, it would be a big nail in Net
 Neutrality's coffin. Also, many ISP have lying resolvers and customers
 should NOT use them. From a security perspective, it would be
 catastrophic since the last mile is not secured, so the only safe way
 to run DNSSEC is to validate locally (which requires access to port 53
 if the ISP resolver is lying).
 

And it seems that the huge majority of lying is being performed at the ISP 
resolvers.

See the numerous papers on NXDOMAIN rewriting, Paxfire / Xerocole / 
Barefruit, etc, one of the better of which is 
 Christian,  Nicholas and Vern's Redirecting DNS for Ads and Profit ( 
http://www.icir.org/christian/publications/2011-foci-dns.pdf )

There are also a huge number of really poorly run (and slow!) ISP recursive 
resolvers.

Having the ability to run your own validating recursive is critical…

W


 I leave these proposals to MAAWG and the Chinese government.
 
 ___
 dns-operations mailing list
 dns-operations@lists.dns-oarc.net
 https://lists.dns-oarc.net/mailman/listinfo/dns-operations
 dns-jobs mailing list
 https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
 

--
Go on, prove me wrong. Destroy the fabric of the universe. See if I care.  -- 
Terry Prachett 


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Carlos M. Martinez 
I don't really think that is the ISPs business to 'correct' 'unwise'
behaviour on the part of equipment. The devil is in the details. What
does an ISP mean by 'correct' or what is 'unwise' ?

Whatever filtering you can currently seem a 'good idea' quickly becomes
abused, misunderstood and applied like a wrecking ball all over the
place. For a taste of this one only needs to look at what ISPs and
network operators do nowadays regarding ICMP filtering.

It's a very slippery slope, one I wouldn't like the industry to take.

Warm regards

Carlos

On 6/12/12 11:46 AM, Vernon Schryver wrote:
 From: Nicholas Suan ns...@nonexiste.net
 However since 53/udp is stateless, and 25/tcp is not, you cast a much
 wider net blocking port 53 inbound than you do with port 25. At least with
 port 25 you can look at the tcp flags and recognize this is a new connection
 without keeping connection state.
 Either I don't understand or that's a restatement of the claim that
 DNS clients commonly send from port 53.  As far 25/TCP blocking is
 concerned in this context, the TCP flags only let you figure out whether
 a TCP segment is to or from a server, exactly as port 53 vs. not-53 often
 does for DNS/UDP.

 People have been repeating the DNS clients send from port 53 claim
 for almost as long as others talking about blocking port 25.  Is
 it valid for consumer ISP customers?  I bet not, but I don't know.

...

 ] From: Peter Koch p...@denic.de

 ]  Joe and Joan should be using their ISP's validating, load balancing,
 ]  well (or at least somewhat) maintained DNS servers, just as they should
 ]  be using their ISP's SMTP systems.
 ]
 ]I'm sure my government loves you already.  Why not cripple the Internet 
 further
 ] since what else do Joe and Joan need but TCP port 80, where the rest
 ] (or even anything at all) can go through the ISP's web proxy?

 Haven't you heard?--Everything is moving to The Cloud.

 Are you claiming that Joe and Joan Sixpack would ever knowingly run
 their own DNS servers?  In the real world, Joan and Joe Sixpack have
 no real control over the software on their computers.  They don't even
 want it or they'd not tolerate the new silent updates from ISPs, Apple,
 Microsoft, Google, Adobe, Mozilla, etc.

 Besides, local DNSSEC validating, regardless of ISP port 53 blocks,
 is the fix for those concerns.  Please think how easy it is for anyone
 in the path of your port 53 packets to run a covert proxy.  Do you
 doubt that there are many illicit translucent DNS proxies?  What is a
 DNS resolver besides a licit, somewhat transparent proxy?

 Consider how easy it is for an ISP to adjust its routers to redirect
 user port 53 packets to a resolver with an RPZ zone.
 Recall DNSChanger and the soon to end DNSChanger remediation effort.

   ...


 } From: Dobbins, Roland rdobb...@arbor.net

 } The *real* problem is, to beat the dead horse yet again, lack of
 } anti-spoofing deployment at the access edge.  The rest of this discussion
 } is tactical.

 Yes, how is BCP 38 deployment going?  That's not rhetorical.  Somewhere
 recently I saw that question yet again but no real answers.
 Are consumer ISPs finally deploying BCP 38 and/or blocking port 25?
 (other than by out-sourcing the port 25 blocking by expecting spam
 targets to use Spamhaus' PBL)

  ...


 From: Stephane Bortzmeyer bortzme...@nic.fr
  Also, many ISP have lying resolvers and customers
 should NOT use them. From a security perspective, it would be
 catastrophic since the last mile is not secured, so the only safe way
 to run DNSSEC is to validate locally (which requires access to port 53
 if the ISP resolver is lying).
 Either that is wrong or DNSSEC is useless, because sending to a packet
 toward a distant DNS servers does imply that it will answer.  Instead
 I think local DNS validation consists of requesting signature and key
 RRs and checking the chain of public key signatures starting from the
 root key that you somehow previously got out of band.

 Do hotels capture and 'improve' your DNS requests to distant servers
 like HTTP?  If you care, hotels you use manual IP addresses, laptop
 DNSSEC valdation, HTTPS, ssh (perhaps over port 443), and/or VPNs.


 Vernon Schryverv...@rhyolite.com
 ___
 dns-operations mailing list
 dns-operations@lists.dns-oarc.net
 https://lists.dns-oarc.net/mailman/listinfo/dns-operations
 dns-jobs mailing list
 https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Tony Finch 
Vernon Schryver v...@rhyolite.com wrote:

 Yes, how is BCP 38 deployment going?

Someone on NANOG recently mentioned http://spoofer.csail.mit.edu/

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Biscay: West or northwest 4 or 5, occasionally 3 later. Moderate. Thundery
showers. Good.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

2012-06-12 Thread Vernon Schryver 
 From: Ken A k...@pacific.net
 To: dns-operati...@mail.dns-oarc.net

 On a authoritative + recursive server, instead of a separate view, we use:
 acl trusted { x.x.x.x/z; };
 allow-recursion { trusted; };

 Is there any way to apply this patch so that it does not affect a 
 specific acl, such as trusted addresses?

 Or, is it recommended/required that we configure separate views to use this?

Separate views are required to apply rate limiting to some but not
all DNS clients, unless you are of the school that holds
authoritative+recursive servers are always utterly wrong.  In that
case separate servers are required.

Would it be easy to transform your configuration file to use views via
the include directive?  My named.conf files look something like

view insiders {
match-clients { goodnets; };
recursion yes;
include privatezones;
include publiczones;
response-policy {
...
};
};
view outsiders {
match-clients { any; };
recursion no;
include publiczones;
rate-limit { ... };
};


Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

2012-06-12 Thread Ken A 



On 6/12/2012 10:16 AM, Vernon Schryver wrote:

From: Ken Ak...@pacific.net
To: dns-operati...@mail.dns-oarc.net



On a authoritative + recursive server, instead of a separate view, we use:
acl trusted { x.x.x.x/z; };
allow-recursion { trusted; };

Is there any way to apply this patch so that it does not affect a
specific acl, such as trusted addresses?

Or, is it recommended/required that we configure separate views to use this?


Separate views are required to apply rate limiting to some but not
all DNS clients, unless you are of the school that holds
authoritative+recursive servers are always utterly wrong.  In that
case separate servers are required.


We are a small ISP, and it has not be necessary.
We do run separate caching servers for mail server use.


Would it be easy to transform your configuration file to use views via
the include directive?  My named.conf files look something like

 view insiders {
match-clients { goodnets; };
recursion yes;
include privatezones;
include publiczones;
response-policy {
...
};
 };
 view outsiders {
match-clients { any; };
recursion no;
include publiczones;
rate-limit { ... };
 };



Yes, only straight forward / minor changes would be needed.
Thanks,
Ken



Vernon Schryverv...@rhyolite.com



--
Ken Anderson
Pacific Internet - http://www.pacific.net
Latest Pacific.Net Status - http://twitter.com/pacnetstatus
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Vernon Schryver 
 From: Tony Finch d...@dotat.at

  Yes, how is BCP 38 deployment going?

 Someone on NANOG recently mentioned http://spoofer.csail.mit.edu/

http://rbeverly.net/research/papers/spoofer-imc09.html
and the last slides in
http://rbeverly.net/research/papers/spoofer-imc09-presentation.pdf
suggest that relying on BCP 38 deployment is unsound.


Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread DTNX Postmaster 
On Jun 12, 2012, at 14:46, Stephane Bortzmeyer wrote:

 On Sun, Jun 10, 2012 at 01:25:06PM +0200,
 DTNX Postmaster postmas...@dtnx.net wrote 
 a message of 37 lines which said:
 
 Google is known to be obsessed with latency, for example, so I
 wouldn't be suprised if they deliberately request ANY and then parse
 and cache the results for a multitude of uses.
 
 But that's speculation. I checked the ANY requests coming into .FR
 name servers and Google (which should be an important user) does not
 appear.

We are seeing them from 74.125.0.0/16, which is a range owned by 
Google, and they resolve to '*.1e100.net', a domain owned by Google.

I do not know why they originate there; from the queries it seems that 
they may be the resolvers in use by the crawler bots, Gmail, or their
open resolvers.

I am speculating about the purpose of those requests, of course, but I 
am not making them up ;-)

Also, they seem perfectly well behaved.

Cya,
Jona

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread DTNX Postmaster 
On Jun 10, 2012, at 23:59, Kyle Creyts wrote:

 On Sun, Jun 10, 2012 at 2:33 PM, Paul Vixie p...@redbarn.org wrote:
 I'm afraid we may need more control. If my clients are generating a DDoS
 attack at 20 responses per second, and I limit this to 5 per second -
 the CC can get the same effect by mobilizing four times as many clients
 to do the job.
 
 no. the client ip is spoofed. the number of spoofers doesn't matter,
 when the reflector is looking at both the apparent client ip and the
 intended response. when most well-provisioned authority servers are
 running with some kind of rate limiting, then the only way to do a
 reflective amplifying ddos will be (a) do it through recursive not
 authority servers, or (b) send a small number of queries to a large
 number of authority servers, or (c) switch to some other wide area udp
 such as ntp or snmp or syslog or whatever.
 
 Someone mentioned that as soon as the spoofed client is blocked, that
 a new spoofed client is used... This behavior seems... strange. How
 quick is this shift? How would one know when to shift the target? The
 modes I _can_ come up with largely involve having some sort of
 information about what is reaching the target. (bandwidth or traffic
 sources) This just leads to more interesting questions about those
 perpetrating the attacks, and their intent. Is there an obvious way of
 discerning the time to switch targets that I am missing? Is this a
 non-interesting topic?

From what I've seen, in our specific case, the apparent source address 
seems to swap every thousands requests or so, with a few exceptions. 

This is from running dnstop on our auth nameservers for a few hours.

HTH,
Jona

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

2012-06-12 Thread Florian Weimer 
* Paul Vixie:

 Vernon Schryver and Paul Vixie have been working on DNS Response Rate
 Limiting (DNS RRL) as a patch set to BIND9 (9.9.1-P1 or 9.8.3-P1) and we
 are ready for broader external testing.

It seems rather straightforward to force recursive resolvers to hit
the rate limit.  Why isn't this a problem?
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] dns response rate limiting (DNS RRL) patch available for testing

2012-06-12 Thread Paul Vixie 
On 6/12/2012 8:13 PM, Florian Weimer wrote:
 * Paul Vixie:

 Vernon Schryver and Paul Vixie have been working on DNS Response Rate
 Limiting (DNS RRL) as a patch set to BIND9 (9.9.1-P1 or 9.8.3-P1) and we
 are ready for broader external testing.
 It seems rather straightforward to force recursive resolvers to hit
 the rate limit.  Why isn't this a problem?

as described in the documentation
(http://www.redbarn.org/dns/ratelimits), we do not recommend this for
recursive servers at this time. that's a separate problem, and most of
the time the fix is to add an ACL to deny off-net or off-campus query
traffic.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] bad infosec economics Re: something paul wrote

2012-06-12 Thread David Miller 
On 6/12/2012 12:34 PM, Edward Lewis wrote:
 At 14:18 + 6/10/12, Paul Vixie wrote:

 thinking about or acting against ANY is bad infosec economics.

 This I agree with.  Here are some of my knee-jerk, anti-filtering
 thoughts:

 1 - DNS providers are paid to answer questions, not drop traffic.

True, to a point.  DNS providers are paid to answer good questions. 

The very first response I get from a customer who receives a large query
bill generated from an attack is that they did not want us to answer
(i.e. they do not want to pay for) *those* queries.

 2 - Rate limits that are not managed eventually become the reason why
 address blocks are contaminated.  Recall the 512 byte limit devices.
 3 - Whenever I've considered limiting any pattern I think of a few
 other patterns that could be substituted in short order if its an APT.

 I agree that rate limiting is an effective short-term, immediate
 reaction to events. But once you leave that time horizon they become
 liabilities - permanent fixes to temporary solutions.

Agreed.  All filters and/or limits need to maintained over time. 
However, general rate limits could be set so high that they will never
occur in good traffic and exceeding them is clearly bad traffic. 
The rate for these general limits would vary from infrastructure to
infrastructure - 1,000 qps, 10,000 qps, you choose qps (yes, that limit
will likely change over time).

 Another part of this discussion centered around determining the source
 of the offensive traffic.  Again, bad infosec economics comes here -
 while it is interesting to diagnose, rarely does the search for
 answers to this question lead to a permanent solution. We've
 collectively known about Dan Bernstein's use of t=ANY for a decade and
 we know he's reluctant to listen to calls for change nor make the
 change.  10+ years.  Nothing's changed - except the newest younger
 crowd learns about this old tale.

Nothing has changed and qmail's installed base remains about the only
reason that we haven't thrown ANY queries onto the refuse pile.

Since we can't disregard ANY queries, it would be just super if we could
stop throwing every new DNS feature into the zone apex, continually
bloating further the ANY query responses for the apex of domains.  Just
a thought.

 The suggestion to limit EDNS0 to a smaller size might be the first
 step to decent (but still suboptimal) improvement.  Guessing that the
 malicious data seeks two things - a large, valid and reputable chunk
 of data to throw at a victim and an reputable and capable address from
 which to throw it, perhaps at least limiting the data size in a way
 that does not cause choking to legitimate uses is a good thing.

+1


 I've said in presentations that the same fertile ground that lets DNS
 be the beast that it is also enables DDoS (rooted in the nature of
 UDP).  The fact that we are still talking DDoS prevention many years
 after we started is empirical evidence that DDoS is a hard problem to
 solve.  Rate limiting is one technique, not a cure-all.  If it was,
 we'd not be talking about it in 2012.  So, use it with caution.

The only real solution is for bandwidth providers to filter garbage at
their edges.  Unfortunately, there is little/no economic incentive for
them to do this and (just like your 1. above) they posit that:
1. Bandwidth providers are paid to route packets, not drop traffic.

There is also, of course, little consensus on the definition of
garbage.  However, if nothing foundational changes, then we will have
the exact same discussion in 2022.


 PS - One possibility, instead of simply not responding, send back
 rcode=REFUSED.


I agree with Tony Finch's reply - TRUNC is better than REFUSED

-DMM


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] query source port 53, was Re: Why would an MTA issue an ANY query instead of an MX query?

2012-06-12 Thread Mark Andrews 

In message alpine.lsu.2.00.1206121230490.2...@hermes-2.csi.cam.ac.uk, Tony Fi
nch writes:
 Mark Andrews ma...@isc.org wrote:
 
  Perhaps because it is a legitimate, though unwise, client source port
  that is in lots of old configurations.
 
  listen-on { internal address; };
  query-source * port 53;
 
 I did this back in the 1990s because it worked around occasional interop
 problems, I think caused by over-enthusiastic firewall configurations that
 thought all DNS (queries and responses) should be on port 53. Several
 years ago I found that things had changed and the popular over-
 enthusiastic firewall configuration requires DNS query source ports to be
 greater than 1023.

Both firewall configuration are broken.  You don't look at source
ports if you are offering a service.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] query source port 53,

2012-06-12 Thread Mark Andrews 

In message 201206122327.q5cnru5s077...@aurora.sol.net, Joe Greco writes:
  In message alpine.lsu.2.00.1206121230490.2...@hermes-2.csi.cam.ac.uk, Ton
 y Fi
  nch writes:
   Mark Andrews ma...@isc.org wrote:
   
Perhaps because it is a legitimate, though unwise, client source port
that is in lots of old configurations.
   
listen-on { internal address; };
query-source * port 53;
   
   I did this back in the 1990s because it worked around occasional interop
   problems, I think caused by over-enthusiastic firewall configurations tha
 t
   thought all DNS (queries and responses) should be on port 53. Several
   years ago I found that things had changed and the popular over-
   enthusiastic firewall configuration requires DNS query source ports to be
   greater than 1023.
  
  Both firewall configuration are broken.  You don't look at source
  ports if you are offering a service.
 
 Sure you can.  And sometimes do.  That's what the whole privileged port
 thing is about, right?  Sometimes it is desirable to constrain the 
 possibilities for various reasons.

Even then you don't examine it in the firewall as those service
still accept connections from non-reserved ports.  You just get
extra functionality if you come from a known machine using a source
port less than 1024.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] query source port 53,

2012-06-12 Thread Mark Andrews 

In message 201206130045.q5d0joit078...@aurora.sol.net, Joe Greco writes:
  
  
  In message 201206122327.q5cnru5s077...@aurora.sol.net, Joe Greco writes:
In message alpine.lsu.2.00.1206121230490.2...@hermes-2.csi.cam.ac.uk,
  Ton
   y Fi
nch writes:
 Mark Andrews ma...@isc.org wrote:
 
  Perhaps because it is a legitimate, though unwise, client source po
 rt
  that is in lots of old configurations.
 
  listen-on { internal address; };
  query-source * port 53;
 
 I did this back in the 1990s because it worked around occasional inte
 rop
 problems, I think caused by over-enthusiastic firewall configurations
  tha
   t
 thought all DNS (queries and responses) should be on port 53. Several
 years ago I found that things had changed and the popular over-
 enthusiastic firewall configuration requires DNS query source ports t
 o be
 greater than 1023.

Both firewall configuration are broken.  You don't look at source
ports if you are offering a service.
   
   Sure you can.  And sometimes do.  That's what the whole privileged port
   thing is about, right?  Sometimes it is desirable to constrain the 
   possibilities for various reasons.
  
  Even then you don't examine it in the firewall as those service
  still accept connections from non-reserved ports.  You just get
  extra functionality if you come from a known machine using a source
  port less than 1024.
 
 So then you do understand the reason why someone might do this with DNS.

No.  The DNS isn't a 'r*' protocol.  If you are advertising a
nameserver to the world is the zero, nada, no, none justifable
reason to look at the source port of the query.  You have no knowledge
about the client.  Even the 'r*' protocols, for all the flaws in
the security model, only paid attention to the source port when the
connection came from trusted machine otherwise they ignored the
port and requested that you login.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs