Dropping queries from some well-known ports
Matus UHLAR - fantomas
uhlar at fantomas.sk
Fri Aug 3 18:11:22 UTC 2018
On 03.08.18 20:00, Petr Menšík wrote:
>Our internal support reached to me with question, why are some queries
>bound to low ports silently dropped. I have found there is feature for
>that, that will silently drop queries from selected ports.
>
>I admit queries from such low ports are wrong. But why are some ports
>allowed when some ports are not? Should not it be configured by firewall
>instead?
>
>Just try this command:
>$ sudo dig @127.0.0.1 -b 127.0.0.1#32 localhost
>
>If bind is running on local interface, it will drop the query. If any
>other server is running there, it will respond.
>
>Does such feature make sense in year 2018? Can you remember what was
>motivation to implement it? Is it wise to still enable it by default,
>without at least configure option to disable it?
>
>1.
>https://gitlab.isc.org/isc-projects/bind9/commit/05d32f6b0f6590ca22136b753309f070ce769000
aren't those port descriptions self-explaining enough?
what is the point of this question at all?
services are not supposed to bind those low ports, and if anyone wants to do
that, they should be aware of possible isss they create.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
More information about the bind-users
mailing list