From owner-freebsd-security  Wed May 24 22:18:12 2000
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with SMTP id 8FA0E37B66E
	for <freebsd-security@freebsd.org>; Wed, 24 May 2000 22:18:05 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 23152 invoked by uid 1000); 25 May 2000 05:17:57 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 25 May 2000 05:17:57 -0000
Date: Thu, 25 May 2000 00:17:57 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Klaus Steden <klaus@compt.com>
Cc: freebsd-security@freebsd.org
Subject: Re: named, and socket bindings
In-Reply-To: <20000525005653.X6137@cthulu.compt.com>
Message-ID: <Pine.BSF.4.21.0005250014400.23139-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Thu, 25 May 2000, Klaus Steden wrote:

> I was playing a bit with 'sockstat' on the FreeBSD 3.4 boxen we have around
> here that offer name service.
> 
> On both I noticed something that was, to me, a bit odd. The sockets that named
> had bound were, as expected, the domain port on all the machine's interfaces,
> but also, a random high UDP port.

That's the port it uses as the source port for outgoing queries.  Using a
port other than 53 makes dns spoofing harder.  I assume it changes the
port, but I'm not sure at what interval.

> I checked two BSDI boxes (4.0) and they don't seem to have the same situation.
> What gives?

Either they're running an old version of bind, or the option in named.conf
to explicitly set the source port to 53 at all times has been enabled.

Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message