[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..

On Mon, 31 Dec 2001 05:31, Jor-el wrote:
> > DNS cache machine sents out requests from source port 54 (not obscure -
> > every administrator of every DNS server on the net can easily discover
> > this).
> 	Not sure I follow what you are saying here. Are you saying that it
> is pretty easy for a DNS admin to figure out what port you are running the
> DNS server on (if so how?) or are you saying that port 54 is a well agreed
> upon port for this purpose. I doubt very much that it is the latter, since
> http://www.iana.org/assignments/port-numbers states that port 54 is
> assigned to XNS (whatever that is).

When a request has a source port of 54 the reply MUST have a destination port 
of 54.

A DNS request is allowed to have any address as a source address (as the 
client program may be a non-root application which gets the first UDP port it 
can find which will be somewhat random).

The ability to configure which source port is used for queries is a newer 
feature in bind (wasn't there in 4.x at least - not sure when it was added).

Having the same port used for sending out queries and receiving queries from 
other machines (pretty much a default setup) just makes things more difficult 
to manage, secure, and analyse.

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to: