Chuck Swiger wrote:
On Jul 8, 2008, at 11:04 AM, Mel wrote:On Tuesday 08 July 2008 19:07:02 Matthew Seaman wrote:You can configure named to always send packets using a fixed port number (which can be helpful for firewalling)Purely outof interest, which (useful) firewall/nat rules cannot be made withdest port 53, that can be made with source port 53. Not talking syntax, but "business logically".Please note that using the same port for answering queries makes it vastly easier for somebody to spoof your DNS traffic. Unless you are one of the handful using DNSSEC, that is.
Yes. In the light of this, released last night: http://www.kb.cert.org/vuls/id/800113 fixing the response port is a bad idea. A really bad idea. Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature