Possible System Compromise

Daniel Roesen droesen at entire-systems.com
Sat Feb 10 13:02:44 UTC 2001


On Wed, Feb 07, 2001 at 03:02:06PM +0000, Jim Reid wrote:
> In the old days of BIND4, the server sent its queries from port 53 and
> some people encoded that in their firewall and router access filters.
> Maybe you're being bitten by that legacy behaviour? BTW the
> query-source clause can be used in current versions of BIND to set
> the source port number on outgoing queries.

Attention! Setting query-source port to a fixed port below 1024 is
incompatible with named's -u option to run BIND in a non-priviledged
user context. TCP queries will fail if you tighten your firewall
filters to a fixed port 53 then.

What happens is that if a UDP query fails, TCP gets used. The BIND
running in a non-root context is not allowed to bind it's TCP source
socket for the query to port 53 and retries with a dynamic high port.
Guess what happens with the TCP connection attempt at your firewall.

So... if one is using BIND as a caching resolver and running non-root,
query-source to a fixed low (priviledged port) does not work.

Yes, I got bitten by that.


Best regards,
Daniel

-- 
----------------------------------------------------------------------
entire systems GmbH         | droesen at entire-systems.com
Internet Services           | Phone: +49 2624 9550-55 
Ferbachstrasse 12           | Fax:   +49 2624 9550-20
D-56203 Hoehr-Grenzhausen   | http://www.entire-systems.com/
----------------------------------------------------------------------


More information about the bind-users mailing list