Unbound Server Dynamic Port Hopping

Sheikh Muhammed Ayub ivsayub at gmail.com
Mon Jan 27 14:19:52 UTC 2020


I am currently working on an article of smart collaborative distribution in
which I have to implement dynamic port hopping for unbound dns,

It will be highly appreciated if some relevant workaround is provided to
achieve my goal. Article attached for reference below.


“dynamic mode”. The port number could also be allocated to multiple users
for a short period by DNS server when the queries are received. These
temporary port numbers will be recycled for reutilization. Based on the
descrip- tion in RFC 6335 [10], the ports could be divided into three
classes: “the Private or Ephemeral Ports” (from 49152 to 65535, never
assigned), “the Registered Ports” (from 1024 to 49151, assigned by IANA)
and “the Well Known Ports” (from 0 to 1023, assigned by IANA). The last two
kinds of ports (i.e. from 0 to 49151) could be further labeled as
“Reserved”, “Unassigned” and “Assigned”. Consequently, the “dynamic mode”
will be more suitable for the smart collaborative distribution.

A. The algorithm used in end host:
If the user would like to enable the dynamic port hopping, the end host
needs to confirm the new port number was allocated or not. Then, the period
of port validity must be verified. If the new port number is still
available, i.e. all the previous answers are “Yes”, the URL resolving
request could be sent to the new port number of DNS. When the new port
number is not allocated or it is out of date, the port distribution request
should be generated and transmitted to the DNS server auto- matically. The
capacity of supporting dynamic port hopping should be checked. If the DNS
server also enable such feature, a suitable acknowledgement should be
transmitted to the end host. Then, the user can send the URL resolving
request to the new port number of DNS. Both unsupported settings and
unopened port will lead DNS server to initiate or repeat the port
distribution again. If “No” is finally returned in this step, the DNS
lookup can only be sent to the default port number.
If the user refuses to enable the dynamic port hopping, the original port
of DNS is always opened.

B. The algorithm used in DNS server:
Comparing with the main procedures at the end host side, operations of DNS
server are more complex. For simplification, we only introduce the case
that dynamic port hopping is always supported. The traditional port number
53 for TCP and UDP should be listened since the DNS service was launched.
When a dynamic port hopping request is captured, the recent opened port
should be examined. If the port number is still usable, a message with
SUCCESS primitive will be sent to the end host. The relevant notifications
for intrusion detection, firewall and other security equipment must be
executed to ensure the following DNS lookup will not be blocked.
When there is no recent opened port or the target port is expired, the DNS
server need to determine whether a new port number should be issued to the
user. For the “Yes” branch, one or more port numbers from resource pool can
be chosen according to the allocation policy. If there is no available port
number (i.e. all permitted ports are fully occupied), some ports might be
recycled based on allocation time, priority, and other relevant parameters.
If a new port number has been allocated successfully, one message with
SUCCESS primitive should be returned to the user and notifications for
security equipment must be made just like the previous case. For the “No”
branch, the N/A primitive will be returned to the user. The user may also
receive N/A primitive when no port number can be recycled immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200127/85645ddc/attachment.htm>

More information about the Unbound-users mailing list