migration from pre bind 8 to v8 or greater.
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Nov 7 03:37:51 UTC 2001
> but surely you can't allow opening of a wide range of ports on the
> firewall for DNS ? wouldn't that add on the possible security
> implications ? also, for packet filtering firewalls i don't think there
> are any other alternatives. just my 2 cents...
There are lots of alternatives. Use a firewall that keeps state.
Lock to a port other that 53, this seperates the two roles.
Mark
>
> Kevin Darcy wrote:
>
> >The use of random unprivileged ports was largely for security reasons. If yo
> u
> >use port 53 for everything, how can your firewall distinguish outgoing
> >queries from potentially malicious attempts to query your internal
> >nameservers from the outside? Sure, you can set query restrictions in
> >named.conf, but then you're relying on your nameserver to provide Internet
> >security measures. Isn't that what you bought the firewall for in the first
> >place?
> >
> >
> >- Kevin
> >
> >Bri- wrote:
> >
> >>Hi,
> >>
> >>Just wanted to share what took me a bit to figure out. The line below in
> >>named.conf fixed my prob;
> >>
> >>options { query-source address * port 53; };
> >>
> >>Why;
> >>
> >>Because prior to bind8, name queries where sent on port 53. With bind8 or
> >>higher, queries are sent out on ports greater than 1023. If you have a
> >>firewall, this IZ a problem in that if you keep thinks nice and tight, you
> >>probably don't allow named qeuries from anything other than port 53.
> >>
> >>I perfer to reconfig named rather than my firewall. You can instead
> >>reconfig your firewall rather than add the option above.
> >>
> >>Bri-
> >>
> >
> >
> >
>
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list