Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Chadwick wrote:
On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:
Is there a way to restrict the ports which BIND selects -- perhaps
at the expense of a small amount of entropy -- such that it doesn't
try to use UDP ports which are administratively blocked (e.g. ports
used by worms, or insecure Microsoft network utilities)? We don't
dare turn these port blocks off, or naive users will fall prey to
security holes in Microsoft products. But if BIND doesn't know to
work around them, lookups will occasionally (and infuriatingly!)
fail.

query-source has an argument called "port" which will do what you want.
That option *only* affects UDP queries, however; TCP queries are always
random.

While query-source allows you to lock down to a single port, you DO NOT
WANT TO DO THIS -- if you do, you will be vulnerable to the very thing
that the patch made you immune (well, safer) from.

What Brett (and others) need to do is risk the waters with the new beta
code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained"
control for the UDP ports to be used.

Please, PLEASE, do not introduce "query-source port XX" into your
configurations.

AlanC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFId4LEcKpYUrUDCYcRAiowAJ47bCASBmTszN8A7d1MbEvB9ZJq0wCWMZIK
t8Uv4q/ro3MDpEP71GqtHg==
=+SwG
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Blocking UDP ports
    ... I saw a lot of 'closed' UDP ports. ... > One cannot tell if a UDP port is blocked or closed. ... > to a UDP connection to a port that is not open is an ICMP error ... > That's why a traceroute using udp packets may not indicate when it ...
    (linux.redhat)
  • Re: Firewall-1 NG and NMAP
    ... when nmap tests to see if a UDP port is open, it sends a UDP packet to the ... packet like with a TCP scan. ... nmap assumes that there must be something listening. ... > reports a lot of open udp ports. ...
    (comp.security.firewalls)
  • Re: Dynamic UDP Ports Settings
    ... > is there any registry settings that i can bound the port range of dynamic ... Note that the range is shared between TCP and UDP ports, i.e., the first ...
    (microsoft.public.win2000.security)
  • Re: Dynamic UDP Ports Settings
    ... >> is there any registry settings that i can bound the port range of ... >> port started at 1025? ... > Note that the range is shared between TCP and UDP ports, i.e., the first ...
    (microsoft.public.win2000.security)
  • Re: Zone transfers - Port Requirements
    ... servers where Zone transfers from the Primary/Master ... Server to the Secondary Server are using UDP ports above ... after the initial request to Port ...
    (microsoft.public.windows.server.dns)