tech-security: Re: system listens strange port when bind starts

Subject: Re: system listens strange port when bind starts
To: None <netbsd-help@netbsd.org, tech-security@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 02/22/2002 14:55:14
[ On Friday, February 22, 2002 at 10:34:53 (-0500), Steven M. Bellovin wrote: ]
> Subject: Re: system listens strange port when bind starts 
>
> In message <3C764FB9.4DAFD94D@computel.ru>, ish@computel.ru writes:
> >Colleagues!
> >
> >I just downloaded and installed the NetBSD 1.5.2 /i386.
> >The BIND 8.2.3 is bundled, so I enabled it as is and set up the zone.
> >The actual NetBSD machine is installed in network with reserved
> >addresses (192.168...)
> >
> >Q1: Named listens for the non standard port such as 56147 or 64930.
> >I restarted named several time and notice ports in the range between
> >5000 and 7000.
> >What is it?
> 
> That's the port that bind uses for sending its own queries.  Port 53 is 
> what is uses to accept queries from others.

Yes, and it's a UDP port, and only listening for the replies to the
queries it sends out.  Spoofed replies can be sent to that port, but the
spoofer has to guess at least a couple of values and get them right in
order to have the spoofed reply be heard....  With BIND-9 the guessing
presumably gets harder on systems with better random number generators.

You can stop it from listening on that port if you want.  I do this with
the following option set in /etc/named.conf:

	options {
	        # for recursive queries so as to avoid any possible problems
	        # with firewalls, etc....
	        query-source address 0.0.0.0 port 53;
	};

(I would rather have all DNS packets on my network have both source and
destination ports be 53.....)


For BIND-9 (eg. from pkgsrc) there's still a mystery port, 49153 in this
example:

# fstat -p 126 
USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W
dns      named        126   wd /         53639 drwxr-xr-x     512 r 
dns      named        126    0 /         11271 crw-rw-rw-    null rw
dns      named        126    1 /         11271 crw-rw-rw-    null rw
dns      named        126    2 /         11271 crw-rw-rw-    null rw
dns      named        126    3* unix dgram c0d1d840 <-> c0b634c0
dns      named        126    4* internet dgram udp c0bba060 204.92.254.15:53
dns      named        126    5* internet stream tcp c0bd1000 204.92.254.15:53
dns      named        126    6* internet dgram udp c0bba120 127.0.0.1:53
dns      named        126    7* internet stream tcp c0bd10b4 127.0.0.1:53
dns      named        126    8* internet dgram udp c0bba1e0 *:53
dns      named        126    9* internet6 dgram udp c0b54b00 *:49153
dns      named        126   10* internet stream tcp c0bd1168 127.0.0.1:953
dns      named        126   11 /         11748 cr--r--r--  random r 


953 is of course only listening on localhost and is for the 'rndc'
command to connect to, and IIRC it's only there if you ask for it:

	controls {
	        inet 127.0.0.1 allow { localhost; }
	        keys { local-host-key; };
	};
	
and as you can see it could be a bit more "promiscuous" if desired....

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>