Re: Ports other than 53 required for proper DNS operation????

In news:F66589A9-7FA3-4789-92A7-7F2AB211ECDB@xxxxxxxxxxxxx,
Frank Ricciardi <FrankRicciardi@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
not following you.

DNS should be straight TCP/IP on port 53, correct?

UDP first, then TCP. With the orginal RFCs, it defines it as when the
response is greater than 512 bytes. like some zones that have a large amount
of data in the response packet, it reverts to TCP. With EDNS0, a new RFC
that came out that Windows 2003 adopted, UDP now goes upto 1280 bytes. This
was implemented to make the response more efficient and quicker with zones
that have large data.

BUT

With Windows communication within a network, or even on the local server,
there's more that goes on than a simple a Windows to Windows session, even
if it's DNS, RPC is used. RPC also requires authentication, which requires
certain ports. If in a domain, the ports requirements increase. Even on the
same machine, if the IP address in IP properties says to use itself, it will
use RPC. With Windows to Windows, an ephemeral port is used by the quering
client. What is an ephemeral? Simply a random port 1024 and above. Run a
sniffer and you can see the traffic.

Read the results in this search to see what I'm talking about:
http://www.google.com/search?hl=en&rls=GGLR,GGLR:2006-06,GGLR:en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=ephemeral+port&spell=1

If across the Internet, UDP and TCP 53 alone will work, but not locally.
Period. Then EDNS0 comes into play. If a firewall does not allow DNS UDP
packet sizes beyond 512, then the response will not go across it.

If you want to test it locally, use nslookup, which is pure UDP, then TCP
depending on the size of the response packet. Pinging locally will revert to
the ephemeral ports, then authentication, etc.

I hope that helps.

Ace


.

Relevant Pages

  • Re: Open port PIX 501
    ... :i can't open the port in my PIX. ... :I need open the port 1000 to point to the IP 10.254.254.222. ... in practice only DNS servers doing zone transfers need tcp. ... of UDP, it would be a highly unusual client which did not stick ...
    (comp.dcom.sys.cisco)
  • Re: Windows 2000 - MS Access XP and Sql Server 2005.
    ... The library is the library for the named pipes protocol; ... adding tcp: before the name of the server. ... the right port to use) at the end. ... I can't connect a client computer with windows 2000 to sql server 2005: ...
    (microsoft.public.access.adp.sqlserver)
  • UDP DoS attack in Win2k via IKE
    ... This memo should clarify the issue discovered with the UDP DOS ... Sending of UDP traffic to port 500 UDP will cause windows to ... attacked host is an IPSec gateway). ...
    (Bugtraq)
  • RE: DNS Records
    ... tcp>1023 53 Client queries with long replies ... On other client types, ... if you lock down all but port ... a client queries an initial server from an unreserved port number to UDP ...
    (Security-Basics)
  • Windows Update Scrammed My Server
    ... The Simple TCP/IP Services could not find the TCP Echo port. ... The Simple TCP/IP Services could not find the UDP Echo port. ...
    (microsoft.public.windowsupdate)