Possible System Compromise
Jim Reid
jim at rfc1035.com
Wed Feb 14 13:37:22 UTC 2001
>>>>> "Daniel" == Daniel Roesen <droesen at entire-systems.com> writes:
>> Er, no. The name server binds to port 53 before it gives up its
>> super user privileges and run as some other UID. How else could
>> the name server work if it didn't listen on port 53? And to do
>> that named has to explicitly bind() to that port number.
Daniel> This is right for the TCP _listening_ socket of the server
Daniel> side. We were talking about outgoing TCP queries by the
Daniel> resolver side of BIND.
Those outbound TCP queries should use a random, non-privileged port
number. Here's what's in the BIND8 documentation:
<P>Note: <CODE>query-source</CODE> currently applies only to
UDP queries; TCP queries always use a wildcard IP address and
a random unprivileged port.
And in the BIND9 ARM it says:
<para><command>query-source</command> currently applies only
to UDP queries; TCP queries always use a wildcard IP address and
a random unprivileged port.</para></note></sect3>
So if you're seeing different behaviour, it's a bug.
More information about the bind-users
mailing list