dig source port

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Aug 25 21:51:57 UTC 2003 

lvobr at ies.etisalat.ae wrote:
> ----- Original Message -----
> From: Jim Reid <jim at rfc1035.com>
> Date: Monday, August 25, 2003 5:46 am
> Subject: Re: dig source port

>> >>>>> ">" == lvobr  <lvobr at ies.etisalat.ae>
> writes:
>> 
>>    >> Is there a way I can specify source port for
> the dig
>> 
>> No.
>> 
>>    >> I have setup with firewall, and my
> nameserver source port is
>>    >> abcd, but I am unable to make the dig to use
> the same, thus
>>    >> firewall stops the dig random source port
> requests.
>> 
>> So fix the firewall. It's broken.

> Don't you think that opening all random udp ports on the L3 firewall for
> anybody who originates packet from his 53 upd port, is a luxury just to
> get a dig reply back ?

Any firewall woorth it's salt will save some state, only allowing 
_answers_ to the ports that has been asking _questions_.



> for me it is a luxury, and I will not do that to have simple dig command
> working, but exposing all random udp port on my internal recursive
> nameserver.

It seems to me that you will increase your security by learning
to configure them properly.

> Can somebody answer why dig in bind8 has it as a syntax but does not
> really implement it ?

> also I can use +vc, which is less harmful in my case, if I open tcp
> established in our firewall.

> I basically checks root servers responses by dig, from the internal
> recursive nameserver, to have some statistic.

> btw, the source-query address port, has a very valid point for named
> from security point of view, why it is surprising for  dig or nslookup
> to have the same ?

the possibility to specify source ports is a migration help for those
depending on bind-4 behaviour ( which is no excuse ). It does not 
increase security at all.

> Ladislav 
>  
>>    >> I can recompile it, but it is the last
> option for me.
>> 
>> Indeed. Fixing the incorrect firewall
> configuration would be the right
>> thing to do.
>> 
>> 



-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list