Configuring bind not to use unprivileged ports?

Thomas Schulz schulz at adi.com
Fri Jun 2 14:13:03 UTC 2006 

In article <e5nvsb$2kaa$1 at sf1.isc.org>,
Mark Andrews  <Mark_Andrews at isc.org> wrote:
>
>> I'm using bind 9.3.1 on a linux system running kernel version 2.6.11.12. I ad
>> ded the following line to the options statement in the 
>> named.conf file:
>> query-source address * port 53
>> After that, I restarted bind but it still performs queries using UDP on unpri
>> vileged ports (1024-65535).
>> 
>> I need is to configure bind to use well defiend ports so that I can then conf
>> igure iptables to allow outgoing DNS queries and 
>> incoming DNS replies. Besides, I prefer not to open all unprivileged ports so
>>  I tried the query-source option above but without 
>> success. Can anyone help me?
>
>	Firstly how do you know it is named that is making the queries?
>
>	1. Use a stateful firewall.  It is a better long term solution
>	as you can then debug connectivity issues with tools like dig.

Iptables can be a stateful firewall.  On our router I have the following
rule enabled:

iptables -A FORWARD -p udp --sport 53 --dport 1024: -m state --state
ESTABLISHED -j ACCEPT

The above is all one line.  This allows incomming replies to a query sent
to port 53 (the reply would come from port 53).

>
>	2. There are multiple source controls.  query-source, notify-source
>	and transfer-source as well as the ipv6 variants.  You need to
>	workout what requests are being made and set the appropriate one(s).
>	
>> P.S. I here's the complete named.conf file in case it is needed:
>> 
>> options {
>>  directory "/etc/namedb";
>>  pid-file "/var/run/named.pid";
>>  statistics-file "/var/run/named.stats";
>>  allow-query { 0/0; };
>>  query-source address * port 53;
>> };
>> 
>> zone "." {
>>  type hint;
>>  file "root.hints";
>> };
>> 
>> zone "0.0.127.in-addr.arpa" {
>>  type master;
>>  file "pz/127.0.0";
>> };
>> 
>> 
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>
-- 
Tom Schulz
schulz at adi.com

More information about the bind-users mailing list