Possible System Compromise
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Mon Feb 12 01:21:46 UTC 2001
>
> On Wed, Feb 07, 2001 at 03:02:06PM +0000, Jim Reid wrote:
> > In the old days of BIND4, the server sent its queries from port 53 and
> > some people encoded that in their firewall and router access filters.
> > Maybe you're being bitten by that legacy behaviour? BTW the
> > query-source clause can be used in current versions of BIND to set
> > the source port number on outgoing queries.
>
> Attention! Setting query-source port to a fixed port below 1024 is
> incompatible with named's -u option to run BIND in a non-priviledged
> user context. TCP queries will fail if you tighten your firewall
> filters to a fixed port 53 then.
>
> What happens is that if a UDP query fails, TCP gets used. The BIND
> running in a non-root context is not allowed to bind it's TCP source
> socket for the query to port 53 and retries with a dynamic high port.
> Guess what happens with the TCP connection attempt at your firewall.
>
> So... if one is using BIND as a caching resolver and running non-root,
> query-source to a fixed low (priviledged port) does not work.
>
> Yes, I got bitten by that.
>
>
> Best regards,
> Daniel
>
> --
> ----------------------------------------------------------------------
> entire systems GmbH | droesen at entire-systems.com
> Internet Services | Phone: +49 2624 9550-55
> Ferbachstrasse 12 | Fax: +49 2624 9550-20
> D-56203 Hoehr-Grenzhausen | http://www.entire-systems.com/
> ----------------------------------------------------------------------
>
Index: src/bin/named/ns_main.c
===================================================================
RCS file: /proj/cvs/isc/bind8/src/bin/named/ns_main.c,v
retrieving revision 8.142
retrieving revision 8.143
diff -u -r8.142 -r8.143
--- ns_main.c 2001/01/15 20:06:25 8.142
+++ ns_main.c 2001/02/02 03:57:06 8.143
@@ -751,6 +751,7 @@
int
tcp_send(struct qinfo *qp) {
struct qstream *sp;
+ struct sockaddr_in src;
int on = 1, n;
ns_debug(ns_log_default, 1, "tcp_send");
@@ -777,8 +778,9 @@
"tcp_send: setsockopt(SO_REUSEPORT): %s",
strerror(errno));
#endif
- if (bind(sp->s_rfd, (struct sockaddr *)&server_options->query_source,
- sizeof server_options->query_source) < 0)
+ src = server_options->query_source;
+ src.sin_port = htons(0);
+ if (bind(sp->s_rfd, (struct sockaddr *)&src, sizeof(src)) < 0)
ns_info(ns_log_default, "tcp_send: bind(query_source): %s",
strerror(errno));
if (fcntl(sp->s_rfd, F_SETFD, 1) < 0) {
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list