Question about port for NSLOOKUP
hostmaster
I've been using Bind for NT for about 5 years now and use to participate in
this list but lost track of it for awhile.
I have a question I hope someone could help me with. I'm trying to block
"unused" tcp/ip ports on a server. I'm able to successfully do that and
leave port 53 open for DNS. However, it appears that nslookup stops working
and can't find the "default" nameserver.
Question: What TCP/IP or UDP port does NSLOOKUP need to operate on besides
port 53? Does anyone know that.
Thank You very much.
Michael Barber
ComCity Corporation
6690 Amador Plaza Rd., Suite 115
Dublin CA
925-556-6940
Fax: 925-556-6945
DISCLAIMER: This e-mail contains proprietary information some or all of
which may be legally priviledged. It is for the intended recipient(s) only.
If an addressing or transmission error has misdirected this e-mail, please
notify the author by replying to this e-mail. If you are not the intended
recipient you must not use, disclose, distribute, copy, print, or reply on
this e-mail.
Cricket Liu
> "unused" tcp/ip ports on a server. I'm able to successfully do that and
> leave port 53 open for DNS. However, it appears that nslookup stops
working
> and can't find the "default" nameserver.
>
> Question: What TCP/IP or UDP port does NSLOOKUP need to operate
> on besides port 53? Does anyone know that.
nslookup sends queries from a dynamically assigned
ephemeral port to port 53.
cricket
Acme Byte & Wire
cri...@acmebw.com
www.acmebw.com
Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class! See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.
Barry Margolin
hostmaster <Hostm...@comcity.com> wrote:
>Question: What TCP/IP or UDP port does NSLOOKUP need to operate on besides
>port 53? Does anyone know that.
It sends UDP packets with destination port 53, but the source port will be
a random, high-numbered port. The incoming replies will be going to that
random port, with source port 53.
--
Barry Margolin, bar...@genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
hostmaster
I can block ports but still be able to use NSLOOKUP.
----- Original Message -----
From: Cricket Liu <cri...@acmebw.com>
To: <bind-...@isc.org>
Sent: Monday, April 24, 2000 3:27 PM
Subject: Re: Question about port for NSLOOKUP
> > I have a question I hope someone could help me with. I'm trying to
block
> > "unused" tcp/ip ports on a server. I'm able to successfully do that and
> > leave port 53 open for DNS. However, it appears that nslookup stops
> working
> > and can't find the "default" nameserver.
> >
> > Question: What TCP/IP or UDP port does NSLOOKUP need to operate
> > on besides port 53? Does anyone know that.
>
Barry Margolin
hostmaster <Hostm...@comcity.com> wrote:
>How can I make this work if its dynamically assigned? There must be someway
>I can block ports but still be able to use NSLOOKUP.
Nope. This is the normal way that UDP-based applications work -- they send
*to* a well-known port, but the requests come *from* a dynamic port.
You could configure your filters to only allow packets to high-numbered
ports if they're from your nameserver.
Richard Johnson
>How can I make this work if its dynamically assigned? There must be someway
>I can block ports but still be able to use NSLOOKUP.
You need to be able to accept any port above 1023 as the source port
and 53 as the dest port. You should ignore any packets that have the
"ack" bit set with these addresses as well. This is the case where someone
is trying to send you a reply packet to your DNS server. Any meaningful
replies from elsewhere to your DNS server should be on port 53.
I suggest you pick up a copy of one of the firewall books out there.
Chapman and Zwicky's "Building Internet Firewalls" is quite good on
explaining the rules that are required to allow a given service
through a firewall. It also reviews all of the problems that can
be caused by doing so. <g>
hostmaster
There is no "easy" way to turn off TCP/IP ports in NT?
Someone is sending spurious FTP packets to our server originating from port
21, in many cases they are "spoofing" their ip address and they are using
some program that is running up the TCP/IP ports starting at 1024 and
up...hitting about 7 ports at a time. We have noticed that over a 24 hour
basis; somehow, this causes NT to crash complete even with FTP completely
OFF on the server. They are now doing this on two separate FTP servers.
----- Original Message -----
From: Len Conrad <lco...@Go2France.com>
To: hostmaster <Hostm...@comcity.com>
Sent: Monday, April 24, 2000 3:58 PM
Subject: Re: Question about port for NSLOOKUP
>
> >How can I make this work if its dynamically assigned?
>
> a "dynamic packet filter" maybe?
>
> something like ipfilter on FreeBSD or Solaris is a "stateful packet
filter"
> that allows incoming traffic to enter an otherwise "blocked" port because
> ipfilter has remembered the state where some outgoing traffic occurred on
> the port. It matches the incoming with outgoing, and temporarily opens
the
> in-blocked port until the session is stopped, and then it closes that port
> again.
>
> I think you're running into the pb where static filtering can't handle
your
> dynamic requirements.
>
> Len
>
>
>