On 2017-01-15, Damian McGuckin <[email protected]> wrote: > With the advent of NSD which in normal operations would be configured to > not even use port 53, and a dilemma (noted below), I had a need to try and > query NSD directly on a port other than port 53.
In normal operations NSD _does_ run on port 53. > Anyway, my question is, should we limit nslookup or dig to query solely on > port 53. I notice that the difference between a old version of OpenBSD dig > which allows the '-pPORT#', and that of '6.0' which does not, is just Prior to the change to make -p an error, but after the dns pledge was added, -p was allowed but ignored with a warning. See the commit adding SOCK_DNS. > Maybe I need more enlightening on my poor understanding of pledge as to > why restricting the port number to only 53 is needed. Some people just use dig for looking up DNS records and I think for them the dns pledge restrictions are a useful way to limit bug damage. Others use dig as a DNS server debugging tool and I think in those cases the port restriction (and forcing traffic through rebound if it's running) can get in the way. > I could not do such tests from an OpenBSD machine because in 6.0, the port > command on 'nslookup' is disabled and the option 'p', -pPORT#, on 'dig' is > tweaked to not change anything. See further below. Alternatively you could use the version of dig from packages which doesn't use pledge: pkg_add isc-bind /usr/local/bin/dig -p However, because this one doesn't use pledge at all, bugs are a bigger risk.
