[unisog] Lifting backbone port 1434/udp blocks
jtk at depaul.edu
Wed Jan 29 09:24:55 GMT 2003
On Tue, Jan 28, 2003 at 07:12:08PM -0600, Glenn Forbes Fleming Larratt wrote:
> > The udp problem gets ugly with BIND 9, which settles on a source port on
> > startup and sticks with that same port for all recursive queries. I had a
> Weird. Good to know about that issue with BIND 9 before we upgrade :)
If you're talking about what I think you're talking about, in the
'options' section of a named configuration file, you can use the
following to limit the source port a BIND 9 server uses:
query-source address * port 53
That can make it easier to build filters for your DNS servers. Some
believe this may make the server more susceptible to a cache poisoning
attack. However, since the source port does not change as long as the
server is running, I don't see how this really adds any security. Now,
if the source port were to randomly change for each succesive query,
then that might mean something.
Note: the query-source option only applies to UDP.
I think a good solution to these sorts of problems is splitting the
function of iterative versus recursive queries a name server handles
as described in the DNS book by O'Reilly.
More information about the unisog