[Dshield] Help: DNS (53)

David Hart DavidHart at TQMcube.com
Thu Jan 1 21:50:22 GMT 2004

On Thu, 2004-01-01 at 13:58, Jeff Kell wrote:
> Just to stir the fire a bit...

> For some reason, recent Linux (RedHat) builds of bind pick their 
> outgoing request port in the 32770ish range.  If you blindly follow the 
> SANS guidelines which say "block 32770-32789 as these are RPC loopback 
> ports" you will hose DNS.  So always permit DNS (53) through this range 
> before you block everything else.

While I did not mention it, that was really what started this thread.

BTW, it carried forward into Fedora. 

I installed TinyDNS today which requires patching (including the two
other required programs) to get it to run on RH or Fedora. Frankly, it
seems to consume more resources than Bind as an external cache and I
just wasn't comfortable with it and the numerous error messages on the
builds. Back to bind.
> Jeff
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
            Quality Management - A Commitment to Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040101/acdc2a53/attachment.bin

More information about the list mailing list