mailing list archives
RE: TCP DNS requests
From: "Wolf, Glenn" <glenn.wolf () we-inc com>
Date: Fri, 1 Nov 2002 10:45:50 -0800
Note that you can sometimes have tcp/53 connections for queries. For
instance, on Windows nslookup, if you do "ls domain.name" you can see the
tcp/53 connection in netstat.
From the comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ):
Date: Fri Feb 10 15:40:10 EST 1995
Subject: Q1.16 - DNS ports
Q: Does anyone out there have any information/experience on exactly which
TCP/UDP ports DNS uses to send and receive queries ?
A: Use the following chart:
Prot Src Dst Use
udp 53 53 Queries between servers (eg, recursive queries)
Replies to above
tcp 53 53 Queries with long replies between servers, zone
transfers Replies to above
udp >1023 53 Client queries (sendmail, nslookup, etc ...)
udp 53 >1023 Replies to above
tcp >1023 53 Client queries with long replies
tcp 53 >1023 Replies to above
Note: >1023 is for non-priv ports on Un*x clients. On other client
types, the limit may be more or less.
Another point to keep in mind when designing filters for DNS is that a
DNS server uses port 53 both as the source and destination for it's
queries. So, a client queries an initial server from an unreserved
port number to UDP port 53. If the server needs to query another
server to get the required info, it sends a UDP query to that server
with both source and destination ports set to 53. The response is then
sent with the same src=53 dest=53 to the first server which then
responds to the original client from port 53 to the original source
The point of all this is that putting in filters to only allow UDP
between a high port and port 53 will not work correctly, you must also
allow the port 53 to port 53 UDP to get through.
Also, ALL versions of BIND use TCP for queries in some cases. The
original query is tried using UDP. If the response is longer than
the allocated buffer, the resolver will retry the query using a TCP
connection. If you block access to TCP port 53 as suggested above,
you may find that some things don't work.
From: Leonard.Ong () nokia com [mailto:Leonard.Ong () nokia com]
Sent: Thursday, October 31, 2002 5:51 PM
To: security-basics () securityfocus com
Subject: RE: TCP DNS requests
Yes, I am confirming this. Zone transfer uses TCP/53, while queries use
Network Security Specialist, APAC
Email. Leonard.Ong () nokia com
Mobile. +65 9431 6184
Phone. +65 6723 1724
Fax. +65 6723 1596
From: ext Daniel Miessler [mailto:danielrm26 () hotmail com]
Sent: Friday, November 01, 2002 1:20 AM
To: 'Carl R Diliberto'; 'security-basics'
Subject: RE: TCP DNS requests
Zone Transfers use TCP instead of UDP on port 53. That is most likely what
you are seeing.
We are reporting TCP based DNS requests to one of our DNS servers
from internal, client IP addresses. My manager would like to block
packets. What or why would their be random TCP packets? We monitored
several clients and it appears it only needs UDP.