On Fri, Jul 11, 2008 at 11:56:53AM -0400, Alan Clegg wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Chadwick wrote: > > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > >> Is there a way to restrict the ports which BIND selects -- perhaps > >> at the expense of a small amount of entropy -- such that it doesn't > >> try to use UDP ports which are administratively blocked (e.g. ports > >> used by worms, or insecure Microsoft network utilities)? We don't > >> dare turn these port blocks off, or naive users will fall prey to > >> security holes in Microsoft products. But if BIND doesn't know to > >> work around them, lookups will occasionally (and infuriatingly!) > >> fail. > > > > query-source has an argument called "port" which will do what you want. > > That option *only* affects UDP queries, however; TCP queries are always > > random. > > While query-source allows you to lock down to a single port, you DO NOT > WANT TO DO THIS -- if you do, you will be vulnerable to the very thing > that the patch made you immune (well, safer) from. > > What Brett (and others) need to do is risk the waters with the new beta > code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" > control for the UDP ports to be used. > > Please, PLEASE, do not introduce "query-source port XX" into your > configurations.
The problem here is WRT network ACLs. The only solution is to bind BIND to a specific IP address and permit any outbound TCP or UDP traffic + any inbound TCP or UDP traffic to port 53. Most network administrators I know of won't like that, as they deny all incoming *and* outgoing traffic, then apply permit ACLs. There's no "clean" or "strict" permit ACL, while with port XX, you can at least narrow down things UDP-wise a bit more. I'll add that the stock src/etc/namedb/named.conf even advocates the use of query-source ... port 53. I'm sure this will be changed as a result of the recent security issue. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
