On Wed, Jul 09, 2008 at 09:44:21AM +0000, Kapil Hari Paranjape wrote:
> Hello,
>
> The Debian advisory does not mention the status of "pdnsd" w.r.t the
> DNS cache poisoning problem. A quick check seems to suggest that
> "pdnsd" also randomises the source port while sending out a query.
>
> Could the maintainer of "pdnsd" please confirm this? I do not want to
> file a pointless bug report if this is not a problem!
Quoting pndnsd.conf(5):
query_port_start=number;
If given, defines the start of the port range used for queries
of pdnsd. The value given must be >= 1024. The purpose of this
option is to aid certain firewall configurations that are based
on the source port. Please keep in mind that another application
may bind a port in that range, so a stateful firewall using tar‐
get port and/or process uid may be more effective. In case a
query start port is given pdnsd uses this port as the first port
of a specified port range (see query_port_end) used for queries.
pdnsd will try to randomly select a free port from this range as
^^^^^^^^
local port for the query.
To ensure that there are enough ports for pdnsd to use, the
range between query_port_start and query_port_end should be
adjusted to at least (par_queries * proc_limit). A higher value
is highly recommended, because other applications may also allo‐
cate ports in that range. If possible, this range should be kept
out of the space that other applications usually use.
query_port_end=number;
Only used if query_port_start is given. Defines the last port of
the range started by query_port_start used for querys by pdnsd.
The default is 65535, which is also the maximum legal value for
^^^^^^^^^^^^^^^^^^^^^
this option. For details see the description of
query_port_start.
And the code matches the documentation. And yes a new socket is used for each
request if that matters.
--
·O· Pierre Habouzit
··O madcoder@debian.org
OOO http://www.madism.org
Attachment:
pgp4Rb8f21A8e.pgp
Description: PGP signature