query problem ??
Ketil Froyn
isc_bind at ketil.froyn.name
Tue Feb 22 15:02:35 UTC 2005
On Tue, 2005-02-22 at 08:42 +0545, raj kumar gurung wrote:
> When i dig some domain, it doesnt get the answer because of "
> query-source address * port 53; " in my named.conf file.
> But when i comment it out, i could get the response...what may be the
> reason ?
A lot of sites block queries from source port 53 in their firewall. It
is common to only allow queries from ports >= 1024.
Anyway, you shouldn't force source port 53, because you will be left
very vulnerable to DNS forgery. I don't know what problem you're trying
to solve by forcing source port 53, but there's surely a better way.
More info on DNS forgery:
http://cr.yp.to/djbdns/forgery.html
Ketil Froyn
ketil at froyn.name
http://ketil.froyn.name/
More information about the bind-users
mailing list