Penetration Testing: Re: Testing F5 3DNS

[John Swope <johns () akorn net>]

The source port will increment with each subsequent query.  It will not 
remain 1026.  Most systems run through source ports of 1025 to 5000 then 
recycle.
At 12:35 PM 08/06/04, Jay Beale wrote:

> This is a slight tangent, but one worth noting on this mailing list.
>
> While the filter could be stateless, it could also be stateful but simply 
> be horrible at DNS with respect to DNS.  Microsoft's Internet Connection 
> Firewall, for instance, will open its resolver's port to all  IP addresses 
> whenever it has sent out a request to its DNS server in the last 60 
> seconds.  There's a great Phrack article on this, quoted below.
>   - Jay
>
>
> From Phrack:  (http://www.phrack.org/phrack/62/p62-0x03_Linenoise.txt)
>
> It can be seen that when the Windows XP computer sent a UDP packet from
> port 1026 to port 53 of the DNS server, the firewall allowed all incoming
> UDP traffic to port 1026, regardless of the source IP address or source
> port of the incoming traffic.  Such incoming traffic was allowed to
> continue until the firewall decided to block access to port 1026, which
> occurred when there was no incoming traffic to port 1026 for a defined
> period of time.  This timeframe was between 61 seconds and 120 seconds, as
> it appeared that the firewall checked once per minute to determine if
> access to ports should be revoked due to more than 60 seconds of
> inactivity.  Assuming that users connected to the Internet would typically
> perform a DNS query at least every minute, incoming access to port 1026
> would always be granted.