Source port 69

Date: 09/27/01

Message-ID: <>
Subject: Source port 69
Date: Thu, 27 Sep 2001 10:54:45 -0500

Last week, during the Nimda scare, I blocked outbound UDP port 69 (TFTP) on
my edge routers since Nimda used TFTP to download part of the virus.

I didn't see any activity for a little while, but this week I have seen
several outbound packets getting blocked that were going back to UDP port

Here is an example log from an ACL for outbound traffic:
denied udp 12.32.90.x(53) ->, 1 packet

All the occurrences with this has been with my DNS servers. So, it looks
like somebody tried to query my DNS server with a source port of 69, so that
I would respond back at UDP port 69. If I were to have allowed this traffic
to go back out, then somebody could assume that I'm allowing TFTP out to the
internet. It looks like somebody may be scanning DNS servers to see if they
allow TFTP and compiling a list of those that allow it.

Has anybody seen this before? I read a couple things about DNS to try to
determine if it's ok for clients to source a DNS query at port 69, and I
think I've come to the conclusion that DNS queries from clients should NOT
come from port 69. Can anybody clarify this?

Scott Hewitt
WEB/WAN Administrator
CDW Computer Centers, Inc.