In message <[email protected]>, Tony Fi nch writes: > Mark Andrews <[email protected]> wrote: > > > > Perhaps because it is a legitimate, though unwise, client source port > > that is in lots of old configurations. > > > > listen-on { <internal address>; }; > > query-source * port 53; > > I did this back in the 1990s because it worked around occasional interop > problems, I think caused by over-enthusiastic firewall configurations that > thought all DNS (queries and responses) should be on port 53. Several > years ago I found that things had changed and the popular over- > enthusiastic firewall configuration requires DNS query source ports to be > greater than 1023.
Both firewall configuration are broken. You don't look at source ports if you are offering a service. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
