Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

First off, to those who were kind enough to offer thanks, "you're
welcome." :)

Second, one user wrote me privately to indicate that my statement in
the first paragraph of my commit message was not clear. The point to
this change is that for _each_ outgoing query a _new, random_ UDP
source port is used, _as well as_ the standard query ID. (This is of
course assuming that you do not have a port locked down in named.conf,
which no one should at this point unless firewall rules outside of
your control mandate it.) However, named is still picking a "random"
UDP port on startup and locking it down (2 if you're also using IPv6)
although it's not immediately clear to me why (I do have a query as to
the reason in progress).

Stef wrote:
| Thanks!
|
| Here are simple steps to use this instead of the base named (and easily
| go back later):
|
| # cd /usr/ports/dns/bind9

Actually I'd at least use bind94, and preferably bind95. Either of
those two will have better memory management characteristics than the
9.3.x that is in dns/bind9.

| # make && make install
| # ln -s /etc/namedb/named.conf /usr/local/etc/named.conf

You will also need to do the same with the rndc.key file, and if you
are running in the chroot (the default for the rc.d script) then you
will need to create /var/named/usr/local/etc and repeat the exercise
for both files.

| # echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf

Personally my preference would be to edit the rc.conf[.local] file.

| # /etc/rc.d/named restart

I would actually do 'rndc stop' first, then '/etc/rc.d/named start'
but for most purposes the differences there would be minor.

You can also use the "replace base bind" option in the 'make config'
step which would obviate editing named_program above. If you do that,
add 'WITHOUT_BIND= yes' in /etc/src.conf for 7 or 8, and 'NO_BIND=
yes' in /etc/make.conf in 6.


hope this helps,

Doug

- --

~ This .signature sanitized for your protection

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEAREDAAYFAkh2o/4ACgkQyIakK9Wy8PurfQCfeN7Vvme3PABgFWMPhQz1Kgu6
gVUAni9iCNt0Gzi2YntV6uQmmRI8MhQl
=4Blu
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: major DNS hiccup
    ... Standard query A www.yell.co.uk ... User Datagram Protocol, Src Port: 60882, Dst Port: domain ... Authority RRs: 0 ...
    (comp.unix.bsd.freebsd.misc)
  • Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns
    ... Is there a way to restrict the ports which BIND selects -- perhaps ... dare turn these port blocks off, or naive users will fall prey to ... source port is used, _as well as_ the standard query ID. ...
    (FreeBSD-Security)
  • Overcome the STO-bug
    ... ROMPTR call of your choice. ... Now if a key is pressed the changed hash ... pressed the modified hash table of the key libs will be used. ... recalculate the ACPTR addresses if the content of the port the lib is ...
    (comp.sys.hp48)
  • RE: Instant Messaging hash values
    ... I've just stumbled over a bunch of AIM clients talking to port ... >> from running based on the hash value. ... >> binaries for each client is there any way to obtain hash codes from ...
    (Security-Basics)
  • Re: DBI v2 - The Plan and How You Can Help
    ... If this is a complex data type like a hash, ... databases which know about hostname, port, usename and password, he will ... He will never anticipate that Informix (as Jonathan explained at ... port, so his application won't be able to connect to Informix. ...
    (perl.dbi.users)