Configuring bind not to use unprivileged ports?
Thomas Schulz
schulz at adi.com
Fri Jun 2 14:13:03 UTC 2006
In article <e5nvsb$2kaa$1 at sf1.isc.org>,
Mark Andrews <Mark_Andrews at isc.org> wrote:
>
>> I'm using bind 9.3.1 on a linux system running kernel version 2.6.11.12. I ad
>> ded the following line to the options statement in the
>> named.conf file:
>> query-source address * port 53
>> After that, I restarted bind but it still performs queries using UDP on unpri
>> vileged ports (1024-65535).
>>
>> I need is to configure bind to use well defiend ports so that I can then conf
>> igure iptables to allow outgoing DNS queries and
>> incoming DNS replies. Besides, I prefer not to open all unprivileged ports so
>> I tried the query-source option above but without
>> success. Can anyone help me?
>
> Firstly how do you know it is named that is making the queries?
>
> 1. Use a stateful firewall. It is a better long term solution
> as you can then debug connectivity issues with tools like dig.
Iptables can be a stateful firewall. On our router I have the following
rule enabled:
iptables -A FORWARD -p udp --sport 53 --dport 1024: -m state --state
ESTABLISHED -j ACCEPT
The above is all one line. This allows incomming replies to a query sent
to port 53 (the reply would come from port 53).
>
> 2. There are multiple source controls. query-source, notify-source
> and transfer-source as well as the ipv6 variants. You need to
> workout what requests are being made and set the appropriate one(s).
>
>> P.S. I here's the complete named.conf file in case it is needed:
>>
>> options {
>> directory "/etc/namedb";
>> pid-file "/var/run/named.pid";
>> statistics-file "/var/run/named.stats";
>> allow-query { 0/0; };
>> query-source address * port 53;
>> };
>>
>> zone "." {
>> type hint;
>> file "root.hints";
>> };
>>
>> zone "0.0.127.in-addr.arpa" {
>> type master;
>> file "pz/127.0.0";
>> };
>>
>>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
--
Tom Schulz
schulz at adi.com
More information about the bind-users
mailing list