Vulnerability to cache poisoning -- the rest of the solution
Alan Clegg
Alan_Clegg at isc.org
Mon Jul 14 17:21:22 UTC 2008
Jeff Lightner wrote:
> Someone stated positively that I couldn't have had queries or transfers
> working with port firewall restricted to port 53 so I was looking for
> more information about that statement as obviously my BIND is working.
Ok, prior to 9.5.0, BIND chose a high, random UDP port on startup and
used that for the life of the process for outbound queries.
9.5.0 improved that by choosing a small pool and changing port every 15
minutes.
-P1 introduced a per-query randomization across all available high ports.
The betas (9.5.1b2) and (9.4.3b1) allow fine-grained control for the UDP
ports used.
All of the above can be over-ridden using the (evil) "udp-source port
XX" statement in your configuration.
All BIND versions use high, random ports for TCP connections.
> Separately I was then also asking for details about what should be
> opened for recursive queries. Is it udp only? Tcp & udp? Finally I
> was asking for specific range information. That is if I tell it random
> does that mean it automatically goes to ports above 1024. Further I
> wanted to verify there wasn't anything in BIND that was restricting it
> to a range as some applications do. That is to say is it complete
> random or random within a range?
See above. Answer depends on "what version are you running?"
AlanC
More information about the bind-users
mailing list