Can I listen to all DNS traffic in the packetbeat without being bound to the port. Windows dynamically selects the port to send and needs to listen for traffic.
With nearly all IP communications, including TCP and UDP, the client system will open a random port (the source port) and connect (TCP) or simply send a packet (UDP) to the service (the destination port) to which it wants to connect. Well known service ports include 80 (http), 443 (https) or in the case of DNS... 53. The response is returned to the source port on the client, which the service learned about from the IP packet the client sent to it.
Service ports are almost always static, although they can be configured in many applications. For example, Kibana is configured to use TCP port 5601 for HTTP connections instead of TCP port 80. If service ports were not static the client would have no idea which port to communicate with. Conversely, if the source ports were not dynamic the client would not be able to open more than one connection at a time as there would be only one port on which to listen for a response.
Specific to you DNS question the DNS service will listen on port 53. The client requests will arrive with a random source port. The DNS server will respond back to the client by sending the response back to the client's source port. Because of random client source ports the DNS server will even be able to respond to multiple request from the same server and the answers won't get mixed up by the client because each response is returned to the source port that requested it.
You can see below the relationship between client IPs and source ports and DNS service port as captured by Packetbeat. This exactly what you should expect.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.