On 08-Sep-2008, at 22:50 , zq wrote: > /* make named use port 53 for the source of all queries, to > allow > * firewalls to block all ports except 53: > */ > query-source port 53; > query-source-v6 port 53;
This has nothing to do with the problem you're trying to solve, but someone should point out that this is extremely insecure. If you don't allow your name server to randomize its query source port, your name server can be poisoned for any domain in under five minutes. You can find details of the relevant vulnerability and mitigation techniques here: <http://www.kb.cert.org/vuls/id/800113> <http://www.isc.org/sw/bind/docs/FAQ-about-random-query-issue.php> If you have corporate firewalls you need to get around, then you can do one of two things to improve your security situation: 1) Talk to the firewall administrators and get them to open up outbound UDP/TCP on all ports from your DNS server. In this case, restricting ports is actually making your security situation worse, not better. or 2) Forward all queries from this server to a recursive server outside your firewall that is able to do proper query source port randomization. There are some notes on doing that here: <http://www.isc.org/sw/bind/docs/forwarding.php > Finally, when you've made changes to fix the situation, you can check to make sure things are improved by testing your server's source port randomization. To do that, use dig to cause this server to run a special query against txtidtest.dns-oarc.net: dig +short txidtest.dns-oarc.net TXT @your.dns.server HTH, Matt
