Re: DNS queries using source port 32768

[Jack Neely <jjneely ncsu edu>]

On Thu, Feb 01, 2007 at 02:05:23PM -0500, David Cantrell wrote:
> On Thu, 2007-02-01 at 13:32 -0500, Jack Neely wrote:
> > I've had some problems installing RHEL on a specific VLAN at work.  The
> > problem is that the loader does DNS requests but the router was dropping
> > the DNS replies therefore the loader couldn't resolve its IP and the URL
> > where the kickstart lived.
> > 
> > Turns out that UDP packets heading toward the servers on this VLAN with
> > destination port of 32768 are dropped by an ACL put in place to meet
> > some security requirements of an out sourced credit card charging
> > company.  The security policy states some concerns that this is a port
> > that solaris commonly uses for the NFS statd RPC server.
> > 
> > The security folks here expressed concern that the loader wasn't
> > randomizing the DNS port as normal resolvers do.  I know the environment
> > for the loader is pretty restrictive.  Is it possible to choose a more
> > random port and/or incriment the port used if DNS queries are failing?
> 
> Possible.  Our DNS lookup code (isys/dns.c) is pretty simple because we
> can't use glibc's libresolv stuff because of NSS (can't offer DSOs in
> the loader environment).
> 
> File a bug so we have some way to track this feature.
> 
> -- 
> David Cantrell <dcantrell redhat com>
> Red Hat / Westford, MA

Thanks David.  I've filed #227432 for this.  My security folks started
waving their hands about this.  I've been trying to convice them that
the loader is a very small environment that used for one thing....

Jack


> _______________________________________________
> Anaconda-devel-list mailing list
> Anaconda-devel-list redhat com
> https://www.redhat.com/mailman/listinfo/anaconda-devel-list

-- 
Jack Neely <jjneely ncsu edu>
Campus Linux Services Project Lead
Information Technology Division, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89