DNS behind a firewall

Kevin Darcy kcd at daimlerchrysler.com
Wed Mar 22 20:20:43 UTC 2000

"Sanchez-Ayra, José" wrote:

> Hi all,
> I've heard that BIND-8 uses a random port, not the fixed port-53, to querie
> others name-serves. Is it correct?
> If it's correct, I have my DNS in a DMZ behind a firewall, so have I to
> accept "any" port from/to my DNS? This is a security hole to my DNS because
> anybody could make a telnet, ftp ... connection.

It binds to a random *unprivileged* port, and only for outgoing queries, so
you should be able to prevent incoming telnet, FTP, etc. connections either by
port range or the settings of the SYN/ACK bits, or both. If that isn't enough,
you can always use the "query-source" option, but according to the
documentation, that only applies to UDP queries.

- Kevin

More information about the bind-users mailing list