Recursive queries fail if query source port is not fixed
Hans F. Nordhaug
Hans.F.Nordhaug at hiMolde.no
Wed Aug 13 23:42:40 UTC 2008
* JINMEI Tatuya / ?$B?@L at C#:H <Jinmei_Tatuya at isc.org> [2008-08-14]:
> At Wed, 13 Aug 2008 09:36:18 +0200,
> "Hans F. Nordhaug" <Hans.F.Nordhaug at hiMolde.no> wrote:
>
> > In the quest for securing the name servers in a company I try to help,
> > I have gotten into to trouble. The company is running CentOS 5.0 and I
> > have updated their Bind to 9.3.4_P1. In addition, I planned to remove
> > the "query-source port 53;" from /etc/named.conf so the servers aren't
> > vulnerable to cache poisoning.
> >
> > The problem is that recursive queries fails if I remove
> > "query-source port 53;". I have check iptables on the servers and the
> > rules on the Cisco ASA and there isn't anything limiting the traffic
> > to port 53 - which I think the dumps below (from tcpdump) confirms.
>
> Do you mean any query always fails, or some queries sometime fail
> (while some others succeed)?
Thx for replying.
Any recursive query, i.e., any query for some domain the server isn't
authorative for, fails.
Hans
More information about the bind-users
mailing list