why setting view with recursion option is invalid in BIND 9.5.0-P1
Matthew Pounsett
matt at conundrum.com
Tue Sep 9 16:39:19 UTC 2008
On 08-Sep-2008, at 22:50 , zq wrote:
> /* make named use port 53 for the source of all queries, to
> allow
> * firewalls to block all ports except 53:
> */
> query-source port 53;
> query-source-v6 port 53;
This has nothing to do with the problem you're trying to solve, but
someone should point out that this is extremely insecure. If you don't
allow your name server to randomize its query source port, your name
server can be poisoned for any domain in under five minutes.
You can find details of the relevant vulnerability and mitigation
techniques here:
<http://www.kb.cert.org/vuls/id/800113>
<http://www.isc.org/sw/bind/docs/FAQ-about-random-query-issue.php>
If you have corporate firewalls you need to get around, then you can
do one of two things to improve your security situation:
1) Talk to the firewall administrators and get them to open up
outbound UDP/TCP on all ports from your DNS server. In this case,
restricting ports is actually making your security situation worse,
not better.
or
2) Forward all queries from this server to a recursive server outside
your firewall that is able to do proper query source port
randomization. There are some notes on doing that here: <http://www.isc.org/sw/bind/docs/forwarding.php
>
Finally, when you've made changes to fix the situation, you can check
to make sure things are improved by testing your server's source port
randomization. To do that, use dig to cause this server to run a
special query against txtidtest.dns-oarc.net:
dig +short txidtest.dns-oarc.net TXT @your.dns.server
HTH,
Matt
More information about the bind-users
mailing list