[lug] using tcpdump to emulate effects of packet dump

D. Stimits stimits at comcast.net
Fri Jul 18 16:22:21 MDT 2003 

Jeffrey Siegal wrote:

> D. Stimits wrote:
>
> > The linux side does not *always* break when port 1026 is blocked, but
> > due to the way ports are used for DNS, sometimes name servers *do* use
> > that port...it is a response to what the requesting box says is an
> > open port when under linux. If by random chance a dns request has 1026
> > open as the first udp port above 1023, then dns will hang.
>
>
> You can get your linux box to always use port 53 for DNS requests if you
> you want by running a caching nameserver locally and configuring it to
> make requests on port 53.

Port 53 is only one half of the communications...it is the *other* 
port...the reply...that sometimes hits port 1026. A caching nameserver 
will not put these extortionists out of business, I need something 
simple that runs directly on windows. Unless it is a request/reply 
system that uses a known service port during both request and reply, I 
can't guarantee what port the kernel will say is open...dhcp is one 
example of a dual request-and-reply by named port (67 and 68 are always 
the port pairs there). DNS is only one example, because I have actually 
dumped packets from it while sniffing for popups. I tried blocking 1026 
for a while, and ended up hanging DNS on occasion.

>
> >> The purpose of the caching server is to allow DNS to work without 
> having
> >> the Windows boxes doing the queries themselves.  They query the caching
> >> server, the caching server does the queries.  The filter *does* allow
> >> UDP to go to the caching server, which is safe because you're running a
> >> secure operating system (and DNS server there) there, not Windows.  Or
> >> you can configure it to do its outgoing DNS requests on port 53, and
> >> block the rest.  Either way.
> >
> >
> >
> > Doesn't it require an IP address?
>
>
> I think you could do something with header rewriting that wouldn't
> require an IP address; at least not a public one.
>
Remember, I want to write an app that fixes the broken windows behavior, 
not a crutch that requires a second machine. Most people would rather 
pay the extortion fee of byebyeads.com, rather than buy a second machine 
and learn how to set up a caching proxy.

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list