> On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:
> > Is there a way to restrict the ports which BIND selects -- perhaps
> > at the expense of a small amount of entropy -- such that it doesn't
> > try to use UDP ports which are administratively blocked (e.g. ports
> > used by worms, or insecure Microsoft network utilities)? We don't
> > dare turn these port blocks off, or naive users will fall prey to
> > security holes in Microsoft products. But if BIND doesn't know to
> > work around them, lookups will occasionally (and infuriatingly!)
> > fail.
>
> query-source has an argument called "port" which will do what you want.
> That option *only* affects UDP queries, however; TCP queries are always
> random.
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
Use
avoid-v4-udp-ports { <port>; ... };
avoid-v6-udp-ports { <port>; ... };
> --
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
> _______________________________________________
> [email protected] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
