Increasing query port randomization under FreeBSD (?)
Jeremy C. Reed
Jeremy_Reed at isc.org
Fri Jul 25 23:57:08 UTC 2008
On Fri, 25 Jul 2008, Ronald F. Guilmette wrote:
> In the -P1 releases, the UDP range is 1024 through 65535. In the betas,
> a few BSD operating systems sysctl tunables are used at named startup.
> On other systems, the range is 1024 through 65535.
>
> OK, so which specific tunable(s) are important here? Would that be one of
> these two?
>
> net.inet.ip.portrange.first
> net.inet.ip.portrange.highfirst
>
> If so, which one, specifically?
Note that this suggestion is for the betas only (and not -P1).
net.inet.ip.portrange.hifirst (low end)
net.inet.ip.portrange.hilast (high end)
> Second question: Regardless of which of the above two tunables is the
> Right One, would be be advisable to reduce the default value of whichever
> of the two is "significant" in this context, i.e. from the current default
> of 49152 to, say, 32767? (Doing that would further increase the "entropy"
> of the query ports and thus further reduce risks, right?)
Just quoting from the docs:
Note: make sure the ranges be sufficiently large for security. A
desirable size depends on various parameters, but we generally
recommend it contain at least 16384 ports (14 bits of entropy).
Note also that the system's default range when used may be too
small for this purpose, and that the range may even be changed
while named is running; the new range will automatically be
applied when named is reloaded. It is encouraged to configure
use-v4-udp-ports and use-v6-udp-ports explicitly so that the
ranges are sufficiently large and are reasonably independent from
the ranges used by other applications.
(Sorry I didn't document the sysctls yet in the beta. Still discussing and
working on that. Also different tunables for different systems too.)
More information about the bind-users
mailing list