From owner-freebsd-security Mon Apr 22 17:42:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.vol.cz (smtp3.vol.cz [195.250.128.83]) by hub.freebsd.org (Postfix) with ESMTP id E4B3137B433 for ; Mon, 22 Apr 2002 17:41:58 -0700 (PDT) Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106]) by smtp3.vol.cz (8.11.6/8.11.3) with ESMTP id g3N0eXP83367 for ; Tue, 23 Apr 2002 02:40:33 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <3CC4A98D.7090008@obluda.cz> Date: Tue, 23 Apr 2002 02:23:41 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 X-Accept-Language: cs, sk, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DNS Question References: <5.1.0.14.2.20020422062026.05613ec0@mail.Go2France.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Len Conrad wrote: > On egress, bind will query via udp/tcp on port > 1023. ... unless your named.conf say something other. Because you must have open local port 53 for INcoming questions and for OUTgoing replies already you may decide to select port 53 as source for your own OUTgoing questions (e.g. INcoming replies) also -> simple configuration of firewall; no need for (random) ports >1023 -> no need for "keep-state" (possible subject of DoS) rules. Dan -- Dan Lukes, SISAL, MFF UK tel: +420 2 21914205, fax: +420 2 21914206 AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz, dan@fio.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message