dig source port patch

Simon Waters Simon at wretched.demon.co.uk
Thu Aug 28 18:12:21 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ladislav Vobr wrote:
>
> If you are running recursive server behind the firewall, which does not
> support "udp states", and restricted the firewall to only bind
> source-port, which is good thing to do imho

On the other hand one cache (not BIND) uses a different source port for
each query because this makes it harder to spoof answers (the DNS
antispoofing mechanism being quite weak).

I think the enhancement is quite useful, and I hope that ISC will
consider incorporating it, not least as doing remote assistant I've
quite often wanted to establish if firewalls are configured port 53 to
port 53 only.

That isn't to say I think fixing the source port is the right way to
firewall DNS.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/TkYDGFXfHI9FVgYRAsO4AJ41kGgq6Gp23fNmqDd4WYJOZ0K/zQCg0uA0
lkv5235B8b3ile+ccogqGo4=
=jNNC
-----END PGP SIGNATURE-----



More information about the bind-users mailing list