net: Use Port 53 instead of Port 9 for routability tests in DNS.

[SJrX]

Go version

go version go1.22.2 linux/amd64

Output of go env in your module/workspace:

n/a

What did you do?

Our security team got an alert that said there was suspicious activity to an IP of a known botnet. The traffic itself was UDP traffic to port 9 of an IP. This was a false positive as the IP address had be red flagged, but something puzzled us. Why did we send traffic on UDP port 9. It seemed like maybe there was something untoward happening and this required an investigation, a Google search of UDP port 9 traffic revealed nothing, and there was no good reason for it. The two possibilities were the Discard protocol, documented in a 1 page RFC from 1983 that predates my birth, or potentially Wake-On LAN.

What did you see happen?

It was hard to reproduce this issues, and searches of the code and binary were not fruitful (it's hard to just search for a 9 and find anything). Maybe a day later, after a bunch of stracing and stuff, we found our answer: https://github.com/golang/go/blob/master/src/net/addrselect.go#L45

The tl;dr is that there was no traffic, (which is why network dumps didn't find it). Instead the security team's tool was monitoring system calls, and it noticed a connect() system call on UDP port 9. It seemed odd, but the reason for it is just to test resolvability, which I understand.

You can kind of see an example of this in #60712 with this strace

$ strace ./resolve 2>&1 | grep '^connect'
connect(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(9), sin_addr=inet_addr("172.217.24.46")}, 16) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(9), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "2404:6800:4006:804::200e", &sin6_addr), sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)

What did you expect to see?

Anyway this isn't really a bug, but it didn't seem like a Language Enhancement or Notable Change either.

I'm going to propose that since the code mentions that the destination port number is irrelevant, that we change the port to 53 and not 9. I understand the need and point of the code, and recognize that this is maybe a very weird edge case.

This might not be a real problem others will face and it also isn't a perfect solution. The system calls are still kind of weird (why are you trying to connect to a machine on port 53 before connecting), but the benefit that has is that at the very least it points to the system call being related to DNS, as opposed to the discard protocol which is suspicious to me.

That would likely have made me look in Go's DNS code much more quickly.

Anyway thank you for your time.

[ianlancetaylor]

Nice job tracking this down. I'll send a patch.

[gopherbot]

Change https://go.dev/cl/584416 mentions this issue: net: use port 53 when checking for UDP routes