Re: dnsserver: Ports used for DNS traffic?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 21 Nov 1999 12:21:12 +0100

Steve Snyder wrote:
 
> What port numbers does dnsserver (Squid v2.2S5) use for DNS traffic and
> can they be configured?

It uses whatever your resolver library uses. All resolver libraries I
know of lets the OS assign a free port > 1024.

Using a fixed port is not possible, as each application requires their
own port (in case of Squid each dnsserver process). You can only use a
fixed port if you tunnel all DNS request thru a single application (i.e.
a locally running BIND).

> For security resaons, I run BIND (v8.2.2) such that it exclusively uses
> port 53 for all DNS traffic across my firewall (ipchains on a RedHat
> v6.0 system). This scheme has been working great.

Unless your DNS is authorative, a more secure setup is to separate the
query and listen ports, and only allow the query port thru the firewall.
Almost all direct attacks to BIND has been thru the listen port.

> Now I've installed Squid and find that it attempts to use high port
> numbers to communicate with the nameservers found in my
> /etc/resolv.conf. The system log accurately shows the denial of access
> to these port numbers.

That is the normal behaviour of resolver libraries, and not something
you likely can change.

The same will happen when you use other IP tools on your server (ping,
telnet, nslookup, whatever).

If this bothers you, then only use only the local machine as a name
server.

> I am aware the I can specify the interfaces to use (via the Squid
> dns_nameservers param) rather than letting Squid parse my
> /etc/resolv.conf, but is that the appropriate course of action? I'm OK
> with Squid using the non-localhost nameservers; it's the ports other
> than 53 that I want to avoid.

It won't help you. That parameter is identical to specifying them in
resolv.conf. It is only useful if you want Squid to use other name
servers than listed in resolv.conf.

> Any thoughts on this? Thank you.

I strongly disagree with your security policy for any DNS server not
authorative of DNS data.

It is also most likely a good idea to run BIND chrooted as nobody (-u
and -t options).

--
Henrik Nordstrom
Squid hacker
Received on Sun Nov 21 1999 - 04:41:44 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT