Chuck Swiger wrote:
On Jul 8, 2008, at 11:04 AM, Mel wrote:
On Tuesday 08 July 2008 19:07:02 Matthew Seaman wrote:
You can configure named to always send packets using a
fixed port number (which can be helpful for firewalling)


Purely outof interest, which (useful) firewall/nat rules cannot be made with
dest port 53, that can be made with source port 53. Not talking syntax,
but "business logically".

Please note that using the same port for answering queries makes it vastly easier for somebody to spoof your DNS traffic. Unless you are one of the handful using DNSSEC, that is.


Yes.  In the light of this, released last night:

  http://www.kb.cert.org/vuls/id/800113

fixing the response port is a bad idea.  A really bad idea.

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to