On Wed, Jul 09, 2008 at 09:44:21AM +0000, Kapil Hari Paranjape wrote: > Hello, > > The Debian advisory does not mention the status of "pdnsd" w.r.t the > DNS cache poisoning problem. A quick check seems to suggest that > "pdnsd" also randomises the source port while sending out a query. > > Could the maintainer of "pdnsd" please confirm this? I do not want to > file a pointless bug report if this is not a problem! Quoting pndnsd.conf(5): query_port_start=number; If given, defines the start of the port range used for queries of pdnsd. The value given must be >= 1024. The purpose of this option is to aid certain firewall configurations that are based on the source port. Please keep in mind that another application may bind a port in that range, so a stateful firewall using tar‐ get port and/or process uid may be more effective. In case a query start port is given pdnsd uses this port as the first port of a specified port range (see query_port_end) used for queries. pdnsd will try to randomly select a free port from this range as ^^^^^^^^ local port for the query. To ensure that there are enough ports for pdnsd to use, the range between query_port_start and query_port_end should be adjusted to at least (par_queries * proc_limit). A higher value is highly recommended, because other applications may also allo‐ cate ports in that range. If possible, this range should be kept out of the space that other applications usually use. query_port_end=number; Only used if query_port_start is given. Defines the last port of the range started by query_port_start used for querys by pdnsd. The default is 65535, which is also the maximum legal value for ^^^^^^^^^^^^^^^^^^^^^ this option. For details see the description of query_port_start. And the code matches the documentation. And yes a new socket is used for each request if that matters. -- ·O· Pierre Habouzit ··O madcoder@debian.org OOO http://www.madism.org
Attachment:
pgp4Rb8f21A8e.pgp
Description: PGP signature