dig source port
lvobr at ies.etisalat.ae
lvobr at ies.etisalat.ae
Mon Aug 25 12:56:54 UTC 2003
----- Original Message -----
From: Jim Reid <jim at rfc1035.com>
Date: Monday, August 25, 2003 5:46 am
Subject: Re: dig source port
> >>>>> ">" == lvobr <lvobr at ies.etisalat.ae>
writes:
>
> >> Is there a way I can specify source port for
the dig
>
> No.
>
> >> I have setup with firewall, and my
nameserver source port is
> >> abcd, but I am unable to make the dig to use
the same, thus
> >> firewall stops the dig random source port
requests.
>
> So fix the firewall. It's broken.
Don't you think that opening all random udp ports on the L3 firewall for
anybody who originates packet from his 53 upd port, is a luxury just to
get a dig reply back ?
for me it is a luxury, and I will not do that to have simple dig command
working, but exposing all random udp port on my internal recursive
nameserver.
Can somebody answer why dig in bind8 has it as a syntax but does not
really implement it ?
also I can use +vc, which is less harmful in my case, if I open tcp
established in our firewall.
I basically checks root servers responses by dig, from the internal
recursive nameserver, to have some statistic.
btw, the source-query address port, has a very valid point for named
from security point of view, why it is surprising for dig or nslookup
to have the same ?
Ladislav
> >> I can recompile it, but it is the last
option for me.
>
> Indeed. Fixing the incorrect firewall
configuration would be the right
> thing to do.
>
>
More information about the bind-users
mailing list