aren't those port descriptions self-explaining enough?

what is the point of this question at all?
services are not supposed to bind those low ports, and if anyone wants to do
that, they should be aware of possible isss they create.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hi,
Please clarify if you're saying "bound to" as in the code that
originated the query came from said port or if you mean queries that are
going to said port on the DNS server?
That's new information to me.
I feel like such queries (from) low ports may be "unexpected", but I
don't know that it's "wrong" per say.
Based on the small list five ports, I'm guessing that these ports caused
a problem and as such are blocked.
I'm guessing that named filters the problematic ports as a function of
protecting it's own stability or otherwise desired behavior.

I would expect that firewalls are more for security of the system.

Different scopes of problem use different solutions.
Bind has chosen to operate in this manner. Other daemons may or may not
make the same choice.
I suspect that bind chose to drop these specific source ports because
they likely will result in more traffic back from the client. As such,
sort of causing a feedback loop. Mind you, this is just a guess.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
If I am reading the code correctly, that commit implies that building
bind with -DNS_CLIENT_DROPPORT=0 will disable that feature.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAltko7UACgkQL6j7milTFsHUtACfUT6pSUq0TIoHpQI6mN3LFGqv
EGIAn2FZ/8xVzcI3Ewg/Latryo0Vxq05
=/+BG
-----END PGP SIGNATURE-----



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Those particular ports are reserved for services that have the rather
odd property that any junk set to them will result in a response.  E.g.
simply opening a connection to daytime will result in a response with
the current date and time in some (unspecified) ASCII format.  Daytime
returns a 32-bit time - that will overflow "soon"; you should be using
NTP instead.

They were designed for diagnostic purposes at a time when the internet
was young and friendly.

Suppose someone knows of a server running one of those services (they
have mostly been replaced/blocked for this and other reasons).

If that someone were able to spoof a request from one of these ports on
that server to your named, responding with anything - including a
FORMERR response, would result in another response.  Named would take
that as another ill-formed request, and reply...  In an infinite loop
using whatever bandwidth is available.  This amounts to a denial of
service attack on both servers, for the cost of a single
packet/connection.  Dropping these packets is the right thing to do,
since the non-named services are acting correctly (according to their
specifications).  And if operating according to their specifications,
none of those servers would ever *initiate* a connection to anyone -
including named.

As for why other low-numbered ports are not dropped: unlike these, they
may have legitimate needs for name resolution.  You could configure a
firewall to drop these - and probably should.  But it certainly doesn't
hurt for named to protect itself from this particular attack.

I should note that your example used port 32 - which is not dropped by
the commit that you cited.  Port 32 is not assigned by IANA.

[Although this is a security issue, I'm not revealing anything new
here.  The commit is 12 years old.  It has been standard advice for many
years not to run these services on the public internet.  If anyone IS
running them(I think NIST is still running the time services), they
should know the risk, and at least rate-limit requests from any given
client IP...]

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.