Re: Securing bind..
On Mon, 31 Dec 2001 05:31, Jor-el wrote:
> > DNS cache machine sents out requests from source port 54 (not obscure -
> > every administrator of every DNS server on the net can easily discover
> > this).
>
> Not sure I follow what you are saying here. Are you saying that it
> is pretty easy for a DNS admin to figure out what port you are running the
> DNS server on (if so how?) or are you saying that port 54 is a well agreed
> upon port for this purpose. I doubt very much that it is the latter, since
> http://www.iana.org/assignments/port-numbers states that port 54 is
> assigned to XNS (whatever that is).
When a request has a source port of 54 the reply MUST have a destination port
of 54.
A DNS request is allowed to have any address as a source address (as the
client program may be a non-root application which gets the first UDP port it
can find which will be somewhat random).
The ability to configure which source port is used for queries is a newer
feature in bind (wasn't there in 4.x at least - not sure when it was added).
Having the same port used for sending out queries and receiving queries from
other machines (pretty much a default setup) just makes things more difficult
to manage, secure, and analyse.
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to: