Below 1024

mikeyt_3333 · 11-07-2001, 07:11 PM

Is there any reason why somebody would be initiating communication with my box, from a port below 1024, this includes any DNS servers. I was under the impression that ports that were below 1024 are reserved and therefore not used to initiate communications. Is this correct? So if I was to block all connection requests originating from a port lower than 1024, would this be safe, or would it cause net problems?

Another Questions I have is about actual DNS. How is a DNS query performed, or how do the root servers update their information based on my nameserver, or is it the other way around? If I run my own Nameserver, is there any reason to leave port 53 open? I understand the concept of DNS pretty well, but I don't understand who updates where when and how?

TIA, Mike.

mikeyt_3333 · 11-08-2001, 10:35 AM

anybody? I hope somebody can help, cause I am dealing with a possible attack, and am doing research to decide how to handle it.

Thanks,
Mike.

taz.devil · 11-08-2001, 03:17 PM

Sure...Port 80 is the standrad HTTP port that webservers use to send you crap. If you are really worried, set up a firewall and you can monitor the ports.

taz.devil · 11-08-2001, 03:20 PM

Quote:

Originally posted by taz.devil
Sure...Port 80 is the standrad HTTP port that webservers use to send you crap. If you are really worried, set up a firewall and you can monitor the ports.

Sorry, didn't answer the DNS question. I don't have experience with actually running a DNS. the only one i've set up was in NT 3.51. You don't have to know much to set one up in there.. LOL Sorry...

saavik · 11-09-2001, 04:02 AM

Hello!
I thing you want to use linux as a proxy and you would like to close as much ports as possible.
I did the same!
Use FIREWALL !!!!
Just install the package and set FW_START on "yes".
Now config the Firewall.conf.

1. difine the FW_DEV_WORLD and the FW_DEV_INT
should be "ippp0" and "eth0" (if you use isdn)
2. difine the ports that should be open to the "outside world"
for example 25 for smtp
53 for dns
80 for www
110 for pop3
but I have nothing open for the outside world
3. you must allow incoming highport for dns so you can get you ip from you isp

now i think it gets to much for just a post reply. if you want to know more just write a mail!

dangel · 11-10-2001, 02:22 PM

if your running a DNS server than you'll have to leave port 53 open. since that is the port that bind runs on ... to allow queries and such.
probably the best thing to do in ur case is seperate your network and put the server in the dmz.
that way ur services are masqed and not physially running on the external interface. then you can just setup port forwarding.
iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to 192.168.1.3:53

(i tried to do some fancy ascii art .... but ... didn't come out very well!)

siddiqu · 11-10-2001, 03:46 PM

Hi..

The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535

http://www.iana.org/assignments/port-numbers

U can block all the ports except ur application ports like smtp, http,ssh etc. or u can disable all un necessary services. ie more safe

for ur second question pls refer DNS & Bind from Orielly. Good book

Siddiqu.T

gosub · 11-10-2001, 04:22 PM

Any remote host is free to communicate with you using whichever local port it desires. That being said you could normally consider it awkward for anyone to initiate communications using a local port <= 1024.

However - when receiving UDP traffic, such as DNS, you do not know if this is someone initiating communications or, for instance, just replying to a request from you. A DNS server will respond to your request with a local port number of 53.

Blocking traffic based on source port would not provide you with any kind of security as far as I can see, so I wouldn't bother looking any more into that if I where you.

To answer your DNS question I'd like you to consider an example:
- I want to look at www.linuxquestions.org, type that in my browser's location bar, push enter and sit back and wait

- My computer asks the DNS server I have configured, say 10.10.10.10: "What IP does www.linuxquestions.org" have?

- The DNS server 10.10.10.10 then asks one of the root DNS servers (they are preconfigured on the DNS server, as you know, having set up a DNS server): "Who administers the .org domain?"

- The root DNS server says to 10.10.10.10: ".org is administered by 192.5.6.30"

- 10.10.10.10 asks 192.5.6.30: "Who administers the .linuxquestions.org domain?"

- 192.5.6.30 answers to 10.10.10.10: ".linuxquestions.org is administered by 64.65.208.2"

- 10.10.10.10 asks 64.65.208.2: "What IP does www.linuxquestions.org have?"

- 64.65.208.2 answers to 10.10.10.10: "www.linuxquestions.org is 208.247.106.177"

- 10.10.10.10 answers my computer: "www.linuxquestions.org is 208.247.106.177"

- My computer initiates communications with 208.247.106.177, and so on...

(some parts of this explanation are simplifications, but most of it is accurate). The point is - neither your, nor the root nameservers need to keep data stored in the other partys repository.

And yes, you need to keep udp port 53 open if you want people to be able to ask you for dns information.