migration from pre bind 8 to v8 or greater.
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 7 03:10:37 UTC 2001
The use of random unprivileged ports was largely for security reasons. If you
use port 53 for everything, how can your firewall distinguish outgoing
queries from potentially malicious attempts to query your internal
nameservers from the outside? Sure, you can set query restrictions in
named.conf, but then you're relying on your nameserver to provide Internet
security measures. Isn't that what you bought the firewall for in the first
place?
- Kevin
Bri- wrote:
> Hi,
>
> Just wanted to share what took me a bit to figure out. The line below in
> named.conf fixed my prob;
>
> options { query-source address * port 53; };
>
> Why;
>
> Because prior to bind8, name queries where sent on port 53. With bind8 or
> higher, queries are sent out on ports greater than 1023. If you have a
> firewall, this IZ a problem in that if you keep thinks nice and tight, you
> probably don't allow named qeuries from anything other than port 53.
>
> I perfer to reconfig named rather than my firewall. You can instead
> reconfig your firewall rather than add the option above.
>
> Bri-
More information about the bind-users
mailing list