dig source port patch
Barry Margolin
barry.margolin at level3.com
Thu Aug 28 18:50:44 UTC 2003
In article <bilge6$20rm$1 at sf1.isc.org>,
Simon Waters <Simon at wretched.demon.co.uk> wrote:
>On the other hand one cache (not BIND) uses a different source port for
>each query because this makes it harder to spoof answers (the DNS
>antispoofing mechanism being quite weak).
While this may be good from a security standpoint, it doesn't seem
practical for high-volume resolvers.
If you're processing hundreds of queries/second, this would hog an awful
lot of ports. I presume the port is reserved for a particular query until
it either gets a response or times out. Since there are so many bad
delegations out there (especially for reverse DNS), they'll wait for
timeouts very often. I could easily imagine running out of ports.
--
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list