ports
Matthew Seaman
m.seaman at infracaninophile.co.uk
Wed Jul 9 06:29:38 UTC 2008
Chuck Swiger wrote:
> On Jul 8, 2008, at 11:04 AM, Mel wrote:
>> On Tuesday 08 July 2008 19:07:02 Matthew Seaman wrote:
>>> You can configure named to always send packets using a
>>> fixed port number (which can be helpful for firewalling)
>>
>> Purely outof interest, which (useful) firewall/nat rules cannot be
>> made with
>> dest port 53, that can be made with source port 53. Not talking syntax,
>> but "business logically".
>
> Please note that using the same port for answering queries makes it
> vastly easier for somebody to spoof your DNS traffic. Unless you are
> one of the handful using DNSSEC, that is.
>
Yes. In the light of this, released last night:
http://www.kb.cert.org/vuls/id/800113
fixing the response port is a bad idea. A really bad idea.
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080709/7ede7e9d/signature.pgp
More information about the freebsd-questions
mailing list