On Apr 25, 2013, at 11:35 AM, "Dobbins, Roland" <[email protected]> wrote:
> > On Apr 24, 2013, at 10:32 PM, Jason Bratton wrote: > >> I'm not saying I agree with that practice, but I can definitely imagine it >> happening. > > Concur. > > If folks are running nameds which *don't* support source-port randomizations, > they need to patch/upgrade, anyways. I think that in many cases it is not that the named version doesn't support randomization, but rather that they / their firewall group believes that "DNS should only be allowed on port 53 (and UDP, natch)". I've seen this in a number of organizations (and some fairly complex iptables rules to rewrite the random source ports to be 53 (because setting 'query-source' is… well… who knows…)). Not saying that this is reasonable, but not nameds that source from 53 are necessarily old…. W > > > ----------------------------------------------------------------------- > Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> > > Luck is the residue of opportunity and design. > > -- John Milton > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > -- She'd even given herself a middle initial - X - which stood for "someone who has a cool and exciting middle name". -- (Terry Pratchett, Maskerade) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
