Alan Clegg wrote:
Jeremy Chadwick wrote:On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:
Is there a way to restrict the ports which BIND selects -- perhaps at the expense of a small amount of entropy -- such that it doesn't try to use UDP ports which are administratively blocked (e.g. portsused by worms, or insecure Microsoft network utilities)? We don't dare turn these port blocks off, or naive users will fall prey to security holes in Microsoft products. But if BIND doesn't know towork around them, lookups will occasionally (and infuriatingly!) fail.
query-source has an argument called "port" which will do what you want. That option *only* affects UDP queries, however; TCP queries are always random.
While query-source allows you to lock down to a single port, you DO NOT WANT TO DO THIS -- if you do, you will be vulnerable to the very thing that the patch made you immune (well, safer) from. What Brett (and others) need to do is risk the waters with the new beta code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" control for the UDP ports to be used. Please, PLEASE, do not introduce "query-source port XX" into your configurations.
Probably what Brett is looking for are the avoid-v4-udp-ports and avoid-v6-udp-ports options -- these just contain lists of UDP ports to avoid as the source of any DNS traffic. Details are available here (for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options but it's the same for all 9.x versions of BIND. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
