Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

dig source port

2,346 views
Skip to first unread message

lv...@ies.etisalat.ae

unread,
Aug 25, 2003, 2:39:11 AM8/25/03
to
Is there a way I can specify source port for the dig, I have setup with
firewall, and my nameserver source port is abcd, but I am unable to make
the dig to use the same, thus firewall stops the dig random source port
requests.

I can recompile it, but it is the last option for me.

I found bind8 dig supports it by syntax but it didn't really worked for me

dig -b 192.168.1.1:abcd

and bind 9 dig mentioned only the source ip address but source port is
not the option, or perhaps I missed it.

Ladislav

Jim Reid

unread,
Aug 25, 2003, 5:46:54 AM8/25/03
to
>>>>> ">" == lvobr <lv...@ies.etisalat.ae> writes:

>> Is there a way I can specify source port for the dig

No.

>> I have setup with firewall, and my nameserver source port is
>> abcd, but I am unable to make the dig to use the same, thus
>> firewall stops the dig random source port requests.

So fix the firewall. It's broken.

>> I can recompile it, but it is the last option for me.

Indeed. Fixing the incorrect firewall configuration would be the right
thing to do.

Jim Reid

unread,
Aug 25, 2003, 11:08:51 AM8/25/03
to
>>>>> <lv...@ies.etisalat.ae> writes:

>>>> I have setup with firewall, and my nameserver source port is
>>>> abcd, but I am unable to make the dig to use the same, thus
>>>> firewall stops the dig random source port requests.
>>
>>> So fix the firewall. It's broken.

>> Don't you think that opening all random udp ports on the L3
>> firewall for anybody who originates packet from his 53 upd
>> port, is a luxury just to get a dig reply back ?

No. Not if I wanted to use dig to query public name servers on the
other side of the firewall.

It's you who wants to use dig through this misconfigured firewall. So
only you can decide whether that's a luxury or not. That'll depend on
your local circumstances that I don't know or care about. [Don't
bother telling us.] You must have thought there was some value in
using dig through this firewall, so I suppose this functionality is
not a luxury for you either.

>> for me it is a luxury, and I will not do that to have simple
>> dig command working, but exposing all random udp port on my
>> internal recursive nameserver.

That's your choice. Your internal recursive name server shouldn't have
any other UDP ports in use anyway. All that runs on that box is a name
server, right? And all it would/should be getting from the outside to
some random port number would be query responses to the queries it made.
So if you've decided you want to block traffic from port 53 on the
outside to random UDP ports on the inside, you need to understand the
consequences. ie You won't be able to use lookup tools on the inside
of your net to query name servers on the outside.

If you can't/won't fix the firewall, you'll need another solution. For
instance you could put a box on the other side of the firewall and run
dig or whatever from there.

FYI the sample firewall/router ACL for DNS shown in "Building Internet
Firewalls" by Zwicky, Cooper & Chapman says it's OK to allow outbound
to port 53 to come from a random, unprivileged port and vice versa.

>> Can somebody answer why dig in bind8 has it as a syntax but
>> does not really implement it ?

Who cares? dig in BIND8 has long passed its use-by date. I doubt if
anyone actively supports it or is developing the code any more.

>> also I can use +vc, which is less harmful in my case, if I open
>> tcp established in our firewall.

I fail to see how using TCP instead of UDP for DNS traffic can be more
(or less) harmful. Define "harm". Please show how the choice of
transport protocol for DNS traffic has any bearing on this.

>> I basically checks root servers responses by dig, from the
>> internal recursive nameserver, to have some statistic.

Fine. You're unhappy that your self-imposed firewall policy doesn't
allow this. So why not do something about that instead of asking why
the world's DNS software hasn't been changed to accommodate your policy?

>> btw, the source-query address port, has a very valid point for
>> named from security point of view, why it is surprising for dig
>> or nslookup to have the same ?

Well dig and nslookup are not name servers. They don't normally need
to be used across firewalls. Name servers sometimes do. So they might
need to set the source address and port number to deal with less than
clueful firewall policies. This is a legacy from the BIND4 days when
port 53 was used for outbound queries and their replies and some
misguided people set up their firewalls accordingly.

If you don't like what dig offers, feel free to contribute a patch.

p...@icke-reklam.ipsec.nu

unread,
Aug 25, 2003, 12:39:28 PM8/25/03
to

> dig -b 192.168.1.1:abcd

> Ladislav

Talk to your firewall-admin. Filtering on source-address usually only
adds your local headache, it does not increase your security.


--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

Barry Margolin

unread,
Aug 25, 2003, 1:22:58 PM8/25/03
to
In article <bicbjk$21na$1...@sf1.isc.org>, <lv...@ies.etisalat.ae> wrote:
>Is there a way I can specify source port for the dig, I have setup with
>firewall, and my nameserver source port is abcd, but I am unable to make
>the dig to use the same, thus firewall stops the dig random source port
>requests.
>
>I can recompile it, but it is the last option for me.

Are you sure you really need to open up the port? Most decent firewalls
are "stateful" -- when they see an outgoing request, they remember the IP's
and ports involved and automatically allow the reply back in. Perhaps you
just need to enable this feature in your firewall.

--
Barry Margolin, barry.m...@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

lv...@ies.etisalat.ae

unread,
Aug 25, 2003, 8:56:54 AM8/25/03
to
----- Original Message -----
From: Jim Reid <j...@rfc1035.com>
Date: Monday, August 25, 2003 5:46 am
Subject: Re: dig source port

> >>>>> ">" == lvobr <lv...@ies.etisalat.ae>
writes:


>
> >> Is there a way I can specify source port for
the dig
>

> No.


>
> >> I have setup with firewall, and my
nameserver source port is
> >> abcd, but I am unable to make the dig to use
the same, thus
> >> firewall stops the dig random source port
requests.
>

> So fix the firewall. It's broken.

Don't you think that opening all random udp ports on the L3 firewall for
anybody who originates packet from his 53 upd port, is a luxury just to
get a dig reply back ?

for me it is a luxury, and I will not do that to have simple dig command


working, but exposing all random udp port on my internal recursive
nameserver.

Can somebody answer why dig in bind8 has it as a syntax but does not
really implement it ?

also I can use +vc, which is less harmful in my case, if I open tcp
established in our firewall.

I basically checks root servers responses by dig, from the internal


recursive nameserver, to have some statistic.

btw, the source-query address port, has a very valid point for named


from security point of view, why it is surprising for dig or nslookup
to have the same ?

Ladislav


> >> I can recompile it, but it is the last
option for me.
>

p...@icke-reklam.ipsec.nu

unread,
Aug 25, 2003, 5:51:57 PM8/25/03
to
lv...@ies.etisalat.ae wrote:
> ----- Original Message -----
> From: Jim Reid <j...@rfc1035.com>
> Date: Monday, August 25, 2003 5:46 am
> Subject: Re: dig source port

>> >>>>> ">" == lvobr <lv...@ies.etisalat.ae>
> writes:
>>
>> >> Is there a way I can specify source port for
> the dig
>>
>> No.
>>
>> >> I have setup with firewall, and my
> nameserver source port is
>> >> abcd, but I am unable to make the dig to use
> the same, thus
>> >> firewall stops the dig random source port
> requests.
>>
>> So fix the firewall. It's broken.

> Don't you think that opening all random udp ports on the L3 firewall for
> anybody who originates packet from his 53 upd port, is a luxury just to
> get a dig reply back ?

Any firewall woorth it's salt will save some state, only allowing
_answers_ to the ports that has been asking _questions_.

> for me it is a luxury, and I will not do that to have simple dig command
> working, but exposing all random udp port on my internal recursive
> nameserver.

It seems to me that you will increase your security by learning
to configure them properly.

> Can somebody answer why dig in bind8 has it as a syntax but does not
> really implement it ?

> also I can use +vc, which is less harmful in my case, if I open tcp
> established in our firewall.

> I basically checks root servers responses by dig, from the internal
> recursive nameserver, to have some statistic.

> btw, the source-query address port, has a very valid point for named
> from security point of view, why it is surprising for dig or nslookup
> to have the same ?

the possibility to specify source ports is a migration help for those
depending on bind-4 behaviour ( which is no excuse ). It does not
increase security at all.

> Ladislav
>
>> >> I can recompile it, but it is the last
> option for me.
>>
>> Indeed. Fixing the incorrect firewall
> configuration would be the right
>> thing to do.
>>
>>

--

0 new messages