[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Mark Andrews Mark_Andrews at isc.org
Fri Jul 11 22:48:52 UTC 2008 

> On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:
> > Is there a way to restrict the ports which BIND selects -- perhaps
> > at the expense of a small amount of entropy -- such that it doesn't
> > try to use UDP ports which are administratively blocked (e.g. ports
> > used by worms, or insecure Microsoft network utilities)? We don't 
> > dare turn these port blocks off, or naive users will fall prey to 
> > security holes in Microsoft products. But if BIND doesn't know to
> > work around them, lookups will occasionally (and infuriatingly!)
> > fail.
> 
> query-source has an argument called "port" which will do what you want.
> That option *only* affects UDP queries, however; TCP queries are always
> random.

	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********
	******* DO NOT SET THE PORT IN QUERY-SOURCE. ********

	Use
		avoid-v4-udp-ports { <port>; ... };
		avoid-v6-udp-ports { <port>; ... };

 
> -- 
> | Jeremy Chadwick                                jdc at parodius.com |
> | Parodius Networking                       http://www.parodius.com/ |
> | UNIX Systems Administrator                  Mountain View, CA, USA |
> | Making life hard for others since 1977.              PGP: 4BD6C0CB |
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the freebsd-security mailing list