[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Jul 11 16:28:38 UTC 2008 

Alan Clegg wrote:
> Jeremy Chadwick wrote:
>> On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:

>>> Is there a way to restrict the ports which BIND selects -- perhaps
>>> at the expense of a small amount of entropy -- such that it doesn't
>>> try to use UDP ports which are administratively blocked (e.g. ports
>>> used by worms, or insecure Microsoft network utilities)? We don't 
>>> dare turn these port blocks off, or naive users will fall prey to 
>>> security holes in Microsoft products. But if BIND doesn't know to
>>> work around them, lookups will occasionally (and infuriatingly!)
>>> fail.

>> query-source has an argument called "port" which will do what you want.
>> That option *only* affects UDP queries, however; TCP queries are always
>> random.
 
> While query-source allows you to lock down to a single port, you DO NOT
> WANT TO DO THIS -- if you do, you will be vulnerable to the very thing
> that the patch made you immune (well, safer) from.
> 
> What Brett (and others) need to do is risk the waters with the new beta
> code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained"
> control for the UDP ports to be used.
> 
> Please, PLEASE, do not introduce "query-source port XX" into your
> configurations.

Probably what Brett is looking for are the avoid-v4-udp-ports  and avoid-v6-udp-ports options -- these just contain lists of UDP ports
to avoid as the source of any DNS traffic.  Details are available here
(for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options
but it's the same for all 9.x versions of BIND.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20080711/0103b282/signature.pgp

More information about the freebsd-security mailing list