Increasing query port randomization under FreeBSD (?)

Ronald F. Guilmette rfg at tristatelogic.com
Fri Jul 25 22:43:45 UTC 2008


As quickly as possible, I'm trying to get my name servers upgraded,
but also, of course, to the extent I am able, I'm trying to understand
the current issue.

I read the following very helpful document:

  http://www.isc.org/sw/bind/docs/FAQ-about-random-query-issue.php

but it raises a couple of questions for me.

Specifically, I am almost exclusively a FreeBSD user.  Given that, what's
the Most Right Thing To Do here?  I see the following comment in the above
document:

    It is recommend it contain at least 16384 ports (14 bits of entropy).

    12. What about default port ranges defined by my system?

    In the -P1 releases, the UDP range is 1024 through 65535. In the betas,
    a few BSD operating systems sysctl tunables are used at named startup.
    On other systems, the range is 1024 through 65535.

OK, so which specific tunable(s) are important here?  Would that be one of
these two?

    net.inet.ip.portrange.first
    net.inet.ip.portrange.highfirst

If so, which one, specifically?

Second question:  Regardless of which of the above two tunables is the
Right One, would be be advisable to reduce the default value of whichever
of the two is "significant" in this context, i.e. from the current default
of 49152 to, say, 32767?  (Doing that would further increase the "entropy"
of the query ports and thus further reduce risks, right?)


More information about the bind-users mailing list