[unisog] Lifting backbone port 1434/udp blocks

John Kristoff jtk at depaul.edu
Wed Jan 29 09:24:55 GMT 2003


On Tue, Jan 28, 2003 at 07:12:08PM -0600, Glenn Forbes Fleming Larratt wrote:
> > The udp problem gets ugly with BIND 9, which settles on a source port on
> > startup and sticks with that same port for all recursive queries.  I had a
[...]
>  Weird. Good to know about that issue with BIND 9 before we upgrade :)

If you're talking about what I think you're talking about, in the
'options' section of a named configuration file, you can use the
following to limit the source port a BIND 9 server uses:

  query-source address * port 53

That can make it easier to build filters for your DNS servers.  Some
believe this may make the server more susceptible to a cache poisoning
attack.  However, since the source port does not change as long as the
server is running, I don't see how this really adds any security.  Now,
if the source port were to randomly change for each succesive query,
then that might mean something.

Note: the query-source option only applies to UDP.

I think a good solution to these sorts of problems is splitting the
function of iterative versus recursive queries a name server handles
as described in the DNS book by O'Reilly.

John



More information about the unisog mailing list