Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]



Alan Clegg wrote:
Jeremy Chadwick wrote:
On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:

Is there a way to restrict the ports which BIND selects -- perhaps
at the expense of a small amount of entropy -- such that it doesn't
try to use UDP ports which are administratively blocked (e.g. ports
used by worms, or insecure Microsoft network utilities)? We don't dare turn these port blocks off, or naive users will fall prey to security holes in Microsoft products. But if BIND doesn't know to
work around them, lookups will occasionally (and infuriatingly!)
fail.

query-source has an argument called "port" which will do what you want.
That option *only* affects UDP queries, however; TCP queries are always
random.

While query-source allows you to lock down to a single port, you DO NOT
WANT TO DO THIS -- if you do, you will be vulnerable to the very thing
that the patch made you immune (well, safer) from.

What Brett (and others) need to do is risk the waters with the new beta
code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained"
control for the UDP ports to be used.

Please, PLEASE, do not introduce "query-source port XX" into your
configurations.

Probably what Brett is looking for are the avoid-v4-udp-ports and avoid-v6-udp-ports options -- these just contain lists of UDP ports
to avoid as the source of any DNS traffic. Details are available here
(for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options
but it's the same for all 9.x versions of BIND.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature



Relevant Pages

  • Re: BIND and 32774 or 32775 UDP ports
    ... BIND and 32774 or 32775 UDP ports ... as being in the listening state. ...
    (Focus-SUN)
  • UDP ports for Internet Explorer
    ... Does anybody know how UDP ports are assigned to IE? ... use the TCP/UDP filtering to allow only certain ports to be open. ... For example I've allowed TCP 3389 for Remote Desktop, ...
    (microsoft.public.windowsxp.network_web)
  • Re: BIND and 32774 or 32775 UDP ports
    ... BIND and 32774 or 32775 UDP ports ... > BIND 9.1.3 besides listening to TCP port 53 also appear to be listening on UDP ... > ports 32774 and 32775. ...
    (Focus-SUN)
  • Re: SBS2003 Outlook HTTP/RPC not working
    ... Do you have rpc listening on any UDP ports? ... I also still have TCP ...
    (microsoft.public.windows.server.sbs)
  • Re: TCP/IP filter & SMTP
    ... Also, if you are using MS SMTP server or Exchange server, you'll need to ... and I can't find any other ports that SMTP might use. ... > If I enable all UDP ports, ...
    (microsoft.public.inetserver.iis.security)