master bind 8 <-> slave bind 4
Jim Reid
jim at rfc1035.com
Fri Dec 22 16:46:46 UTC 2000
>>>>> "Jeffrey" == Jeffrey C Albro <jeff at velvet.antistatic.com> writes:
>> No. By default BIND8 and BIND9 use a random, non-privileged
>> port when they make queries. BIND4 servers always used port 53
>> for that. The query-source clause above will make a BIND[89]
>> server behave like a BIND4 server when it sends queries.
Jeffrey> Actually, I find it is NOT that random, usually
Jeffrey> 1025-1028. I wonder if that pridictability could cause
Jeffrey> security problems?
It's normally the OS, not BIND that selects the port number for these
outgoing queries. The name server usually lets the kernel determine
the port number for that socket. So any predictability in the choice
of port number can probably be blamed on your kernel's TCP/IP
stack. FWIW, I run BSD/OS and one of my servers is currently using
port 57589 for its outbound queries. The port number that's used seems
to be incremented by one each time the server is reloaded and a new
query socket has to be created. Another OS may do something different.
I doubt if there are any security problems arising from the randomness
or otherwise of that port number. Sometimes there are DNS problems if
people configure their firewalls to only let through DNS traffic where
the source and destination port numbers are both 53: ie the old BIND4
behaviour. This won't work with a default BIND[89] server. Packets
to/from the random non-privileged port get dropped, preventing the
name server from querying servers beyond the firewall.
More information about the bind-users
mailing list