Vulnerability to cache poisoning -- the rest of the solution

Alan Clegg Alan_Clegg at isc.org
Mon Jul 14 17:21:22 UTC 2008


Jeff Lightner wrote:
> Someone stated positively that I couldn't have had queries or transfers
> working with port firewall restricted to port 53 so I was looking for
> more information about that statement as obviously my BIND is working.
Ok, prior to 9.5.0, BIND chose a high, random UDP port on startup and
used that for the life of the process for outbound queries.

9.5.0 improved that by choosing a small pool and changing port every 15
minutes.

-P1 introduced a per-query randomization across all available high ports.

The betas (9.5.1b2) and (9.4.3b1) allow fine-grained control for the UDP
ports used.

All of the above can be over-ridden using the (evil) "udp-source port
XX" statement in your configuration.

All BIND versions use high, random ports for TCP connections.

> Separately I was then also asking for details about what should be
> opened for recursive queries.  Is it udp only?  Tcp & udp?   Finally I
> was asking for specific range information.   That is if I tell it random
> does that mean it automatically goes to ports above 1024.  Further I
> wanted to verify there wasn't anything in BIND that was restricting it
> to a range as some applications do.   That is to say is it complete
> random or random within a range? 

See above.  Answer depends on "what version are you running?"

AlanC




More information about the bind-users mailing list