zone transfers sticking on one port?

Mark Andrews Mark_Andrews at isc.org
Tue Mar 16 00:35:46 UTC 2004 

> At 05:56 PM 3/15/2004, Mark Andrews wrote:
> 
> 
> >         Failure to get a answer is not normally a reason to change
> >         port.  It normally indicates that a host / link is down.
> >         Changing port is not a indicated solution to this problem.
> >
> >         Even if named was capable of receiving the ICMP message
> >         (your firewall does generate a ICMP message?) there is
> >         nothing in ICMP messages to say "Try a different source
> >         port".
> 
> 
> Not a firewall.  Just a port block on the border.  But this is what I need 
> to know, named should behave that way.   And I know what to look for in the 
> future.

	You implemented a firewall when you blocked the port.  While
	firewall often perform other functions the simplest firewalls
	are just port blockers.
 
> named may not be capable of receiving an ICMP message, but it knows if it 
> doesn't get a response back or not, right (based on whether the zone gets 
> transferred or not)?    Is this something that would be useful for bind to 
> do, skip on to another port if it's not successfully loading the 
> zone?

	No.  Stupid firewalls should be fixed not worked around.

> the avoid-udp port flag allows you to at least block it out, that's 
> a pretty useful addition, if a port is blocked for a reason outside your 
> control, but it would be cool if named could do this on it's own.  I know, 
> that's a lot to ask, I'm just thinking out load.  :)
> 
> 
> >         Blocking non-reserved ports is always fraught with danger.
> >         You will be creating problems for all applications that may
> >         use that port not just the malware.  You just happened to
> >         see the problems with named.
> 
> 
> Not the one made/making that decision, it was based on virus mitigation.  I 
> just had to figure out the fall-out.  Hopefully this incident has instilled 
> a bit more responsibility in those blocking ports around here.  :)   chris  

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list