Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Is there a way to restrict the ports which BIND selects -- perhaps
at the expense of a small amount of entropy -- such that it doesn't
try to use UDP ports which are administratively blocked (e.g. ports
used by worms, or insecure Microsoft network utilities)? We don't
dare turn these port blocks off, or naive users will fall prey to
security holes in Microsoft products. But if BIND doesn't know to
work around them, lookups will occasionally (and infuriatingly!)
fail.

--Brett Glass

At 06:06 PM 7/10/2008, Doug Barton wrote:

First off, to those who were kind enough to offer thanks, "you're
welcome." :)

Second, one user wrote me privately to indicate that my statement in
the first paragraph of my commit message was not clear. The point to
this change is that for _each_ outgoing query a _new, random_ UDP
source port is used, _as well as_ the standard query ID. (This is of
course assuming that you do not have a port locked down in named.conf,
which no one should at this point unless firewall rules outside of
your control mandate it.) However, named is still picking a "random"
UDP port on startup and locking it down (2 if you're also using IPv6)
although it's not immediately clear to me why (I do have a query as to
the reason in progress).

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: How to listen to more a specific IP and specific ports
    ... bind my socket to specific unlimited and selective IP addresses. ... Moreover, in Unix/Linux Berekly network programming, you can determin the ... port numbers. ...
    (microsoft.public.win32.programmer.networks)
  • Re: How to listen to more a specific IP and specific ports
    ... I have read this long time ago in the textbook Unix Network Programming ... service and connect our socket to INADDR_ANY and then listen for incoming ... Its clear to me on how to bind with ... port numbers. ...
    (microsoft.public.win32.programmer.networks)
  • Re: How to listen to more a specific IP and specific ports
    ... bind my socket to specific unlimited and selective IP addresses. ... Moreover, in Unix/Linux Berekly network programming, you can determin the IP ... port numbers. ...
    (microsoft.public.win32.programmer.networks)
  • Re: How to listen to more a specific IP and specific ports
    ... bind my socket to specific unlimited and selective IP addresses. ... port numbers. ... is not feasible because the particular IPs are not fixed. ...
    (microsoft.public.win32.programmer.networks)
  • FreeBSD Security Advisory: FreeBSD-SA-01:18.bind
    ... BIND is an implementation of the Domain Name Service protocols. ... assist the ability of attackers to exploit the primary vulnerability ... the bind8 port in the ports collection ... If you have chosen to install BIND from the ports collection and are ...
    (FreeBSD-Security)