From: John Swope (johns@akorn.net)
Date: Mon Aug 09 2004 - 21:38:02 EDT
The source port will increment with each subsequent query. It will not
remain 1026. Most systems run through source ports of 1025 to 5000 then
recycle.
At 12:35 PM 08/06/04, Jay Beale wrote:
>This is a slight tangent, but one worth noting on this mailing list.
>
>While the filter could be stateless, it could also be stateful but simply
>be horrible at DNS with respect to DNS. Microsoft's Internet Connection
>Firewall, for instance, will open its resolver's port to all IP addresses
>whenever it has sent out a request to its DNS server in the last 60
>seconds. There's a great Phrack article on this, quoted below.
>
> - Jay
>
>
> From Phrack: (http://www.phrack.org/phrack/62/p62-0x03_Linenoise.txt)
>
>It can be seen that when the Windows XP computer sent a UDP packet from
>port 1026 to port 53 of the DNS server, the firewall allowed all incoming
>UDP traffic to port 1026, regardless of the source IP address or source
>port of the incoming traffic. Such incoming traffic was allowed to
>continue until the firewall decided to block access to port 1026, which
>occurred when there was no incoming traffic to port 1026 for a defined
>period of time. This timeframe was between 61 seconds and 120 seconds, as
>it appeared that the firewall checked once per minute to determine if
>access to ports should be revoked due to more than 60 seconds of
>inactivity. Assuming that users connected to the Internet would typically
>perform a DNS query at least every minute, incoming access to port 1026
>would always be granted.
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT