migration from pre bind 8 to v8 or greater.

[Ethan]

so r u saying if I just hv a plain packet filtering firewall that does 
not keep state, i can set query source to other ports other than 53 so 
that BIND will still work.

Mark.Andrews at isc.org wrote:

>>but surely you can't allow opening of a wide range of ports on the 
>>firewall for DNS ? wouldn't that add on the possible security 
>>implications ? also, for packet filtering firewalls i don't think there 
>>are any other alternatives. just my 2 cents...
>>
>
>	There are lots of alternatives.  Use a firewall that keeps state.
>	Lock to a port other that 53, this seperates the two roles.
>
>	Mark
>
>>Kevin Darcy wrote:
>>
>>>The use of random unprivileged ports was largely for security reasons. If yo
>>>
>>u
>>
>>>use port 53 for everything, how can your firewall distinguish outgoing
>>>queries from potentially malicious attempts to query your internal
>>>nameservers from the outside? Sure, you can set query restrictions in
>>>named.conf, but then you're relying on your nameserver to provide Internet
>>>security measures. Isn't that what you bought the firewall for in the first
>>>place?
>>>
>>>
>>>- Kevin
>>>
>>>Bri- wrote:
>>>
>>>>Hi,
>>>>
>>>>Just wanted to share what took me a bit to figure out.  The line below in
>>>>named.conf fixed my prob;
>>>>
>>>>options { query-source address * port 53; };
>>>>
>>>>Why;
>>>>
>>>>Because prior to bind8, name queries where sent on port 53.  With bind8 or
>>>>higher, queries are sent out on ports greater than 1023.  If you have a
>>>>firewall, this IZ a problem in that if you keep thinks nice and tight, you
>>>>probably don't allow named qeuries from anything other than port 53.
>>>>
>>>>I perfer to reconfig named rather than my firewall.  You can instead
>>>>reconfig your firewall rather than add the option above.
>>>>
>>>>Bri-
>>>>
>>>
>>>
>>
>>
>>
>--
>Mark Andrews, Internet Software Consortium
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
>