I recently implemented more stringent firewall rules, one of which only accepts DNS udp packets with source ports 1024:65535 and destination port 53. Most of the examples use this source port limitation.
The logs have been mostly clean save for these intermitten packets from IPs that resolve to seth.ns.cloudflare.com.
So my question, dear guru's: why is this name server using ports lower than 1024? Do you think I should adapt my rules and remove source-port stipulation?
Many thanks for your time!
Follow-up: blocked 6 IPs of that group pointing to ripe.net and www.58wgw.com. Here's a 10 second tcpdump of port 53
[link][3 comments]