migration from pre bind 8 to v8 or greater.
Ethan
phil46 at pacific.net.sg
Wed Nov 7 03:25:15 UTC 2001
but surely you can't allow opening of a wide range of ports on the
firewall for DNS ? wouldn't that add on the possible security
implications ? also, for packet filtering firewalls i don't think there
are any other alternatives. just my 2 cents...
Kevin Darcy wrote:
>The use of random unprivileged ports was largely for security reasons. If you
>use port 53 for everything, how can your firewall distinguish outgoing
>queries from potentially malicious attempts to query your internal
>nameservers from the outside? Sure, you can set query restrictions in
>named.conf, but then you're relying on your nameserver to provide Internet
>security measures. Isn't that what you bought the firewall for in the first
>place?
>
>
>- Kevin
>
>Bri- wrote:
>
>>Hi,
>>
>>Just wanted to share what took me a bit to figure out. The line below in
>>named.conf fixed my prob;
>>
>>options { query-source address * port 53; };
>>
>>Why;
>>
>>Because prior to bind8, name queries where sent on port 53. With bind8 or
>>higher, queries are sent out on ports greater than 1023. If you have a
>>firewall, this IZ a problem in that if you keep thinks nice and tight, you
>>probably don't allow named qeuries from anything other than port 53.
>>
>>I perfer to reconfig named rather than my firewall. You can instead
>>reconfig your firewall rather than add the option above.
>>
>>Bri-
>>
>
>
>
More information about the bind-users
mailing list