dig source port
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Aug 25 21:51:57 UTC 2003
lvobr at ies.etisalat.ae wrote:
> ----- Original Message -----
> From: Jim Reid <jim at rfc1035.com>
> Date: Monday, August 25, 2003 5:46 am
> Subject: Re: dig source port
>> >>>>> ">" == lvobr <lvobr at ies.etisalat.ae>
> writes:
>>
>> >> Is there a way I can specify source port for
> the dig
>>
>> No.
>>
>> >> I have setup with firewall, and my
> nameserver source port is
>> >> abcd, but I am unable to make the dig to use
> the same, thus
>> >> firewall stops the dig random source port
> requests.
>>
>> So fix the firewall. It's broken.
> Don't you think that opening all random udp ports on the L3 firewall for
> anybody who originates packet from his 53 upd port, is a luxury just to
> get a dig reply back ?
Any firewall woorth it's salt will save some state, only allowing
_answers_ to the ports that has been asking _questions_.
> for me it is a luxury, and I will not do that to have simple dig command
> working, but exposing all random udp port on my internal recursive
> nameserver.
It seems to me that you will increase your security by learning
to configure them properly.
> Can somebody answer why dig in bind8 has it as a syntax but does not
> really implement it ?
> also I can use +vc, which is less harmful in my case, if I open tcp
> established in our firewall.
> I basically checks root servers responses by dig, from the internal
> recursive nameserver, to have some statistic.
> btw, the source-query address port, has a very valid point for named
> from security point of view, why it is surprising for dig or nslookup
> to have the same ?
the possibility to specify source ports is a migration help for those
depending on bind-4 behaviour ( which is no excuse ). It does not
increase security at all.
> Ladislav
>
>> >> I can recompile it, but it is the last
> option for me.
>>
>> Indeed. Fixing the incorrect firewall
> configuration would be the right
>> thing to do.
>>
>>
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list