Note that you can sometimes have tcp/53 connections for queries. For
instance, on Windows nslookup, if you do "ls domain.name" you can see the
tcp/53 connection in netstat.
Glenn
>From the comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ):
-----------------------------------------------------------------------
Date: Fri Feb 10 15:40:10 EST 1995
Subject: Q1.16 - DNS ports
Q: Does anyone out there have any information/experience on exactly which
TCP/UDP ports DNS uses to send and receive queries ?
A: Use the following chart:
Prot Src Dst Use
udp 53 53 Queries between servers (eg, recursive queries)
Replies to above
tcp 53 53 Queries with long replies between servers, zone
transfers Replies to above
udp >1023 53 Client queries (sendmail, nslookup, etc ...)
udp 53 >1023 Replies to above
tcp >1023 53 Client queries with long replies
tcp 53 >1023 Replies to above
Note: >1023 is for non-priv ports on Un*x clients. On other client
types, the limit may be more or less.
Another point to keep in mind when designing filters for DNS is that a
DNS server uses port 53 both as the source and destination for it's
queries. So, a client queries an initial server from an unreserved
port number to UDP port 53. If the server needs to query another
server to get the required info, it sends a UDP query to that server
with both source and destination ports set to 53. The response is then
sent with the same src=53 dest=53 to the first server which then
responds to the original client from port 53 to the original source
port number.
The point of all this is that putting in filters to only allow UDP
between a high port and port 53 will not work correctly, you must also
allow the port 53 to port 53 UDP to get through.
Also, ALL versions of BIND use TCP for queries in some cases. The
original query is tried using UDP. If the response is longer than
the allocated buffer, the resolver will retry the query using a TCP
connection. If you block access to TCP port 53 as suggested above,
you may find that some things don't work.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Leonard.Ong@;nokia.com]
Sent: Thursday, October 31, 2002 5:51 PM
To: [EMAIL PROTECTED]
Subject: RE: TCP DNS requests
Yes, I am confirming this. Zone transfer uses TCP/53, while queries use
UDP/53.
Regards,
Leonard Ong
Network Security Specialist, APAC
NOKIA
Email. [EMAIL PROTECTED]
Mobile. +65 9431 6184
Phone. +65 6723 1724
Fax. +65 6723 1596
-----Original Message-----
From: ext Daniel Miessler [mailto:danielrm26@;hotmail.com]
Sent: Friday, November 01, 2002 1:20 AM
To: 'Carl R Diliberto'; 'security-basics'
Subject: RE: TCP DNS requests
Zone Transfers use TCP instead of UDP on port 53. That is most likely what
you are seeing.
--Daniel
> We are reporting TCP based DNS requests to one of our DNS servers
coming
> from internal, client IP addresses. My manager would like to block
the TCP
> packets. What or why would their be random TCP packets? We monitored
> several clients and it appears it only needs UDP.
