Bind: Standard Ports And Non Standard Ports
Jakob Bohm
jb-bindusers at wisemo.com
Fri Feb 11 16:29:47 UTC 2022
On 2022-02-11 16:20, Tim Daneliuk via bind-users wrote:
>
> After some months of poking around, we are now certain that our
> so-called "Business"
> service from Comcast is compromising our DNS servers because of their
> execrable "Security Edge" garbage. (They are willing to remove this
> 'service'
> only if we are willing to incur a higher monthly recurring fee.)
>
> Our master is in the wild and works fine, but the slave is behind the
> compromised
> Comcast pipe. The effect of having Security Edge in place is that the
> slave cannot get updates from the master and is also unable to resolve
> anything outside our own zone. Comcast is apparently hijacking all port
> 53 requests and doing unspeakable things with them.
>
> Is there a way to have these servers work as usual, listening to
> resolution
> request on port 53, but have the slave update AND forward requests to the
> master over a non-standard port, so as to work around the Comcast
> madness?
>
> TIA,
> Tim
>
> P.S. My guess is that this so-call "security" service is no such
> thing, or at
> least its not the only thing. They are probably harvesting DNS
> lookups
> to sell as marketing data, or at least that would be my first guess.
If bind cannot be configured to avoid a port blocking or filtering 3rd
party filter between two of your own servers, the obvioussolution is
to use a traditional VPN solution such as DNSSEC or OpenVPN to encrypt
all traffic between the two servers. That should pass through any ISP
filters that don't block work-from-home VPNs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the bind-users
mailing list