From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 00:33:04 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B0CA1065673 for ; Fri, 11 Jul 2008 00:33:04 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 3C7198FC1D for ; Fri, 11 Jul 2008 00:33:04 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 21312 invoked by uid 399); 11 Jul 2008 00:06:24 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 11 Jul 2008 00:06:24 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4876A3FE.1070407@FreeBSD.org> Date: Thu, 10 Jul 2008 17:06:22 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: stef@memberwebs.com References: <20080709204114.471A2F1835D@mx.npubs.com> In-Reply-To: <20080709204114.471A2F1835D@mx.npubs.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 00:33:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 First off, to those who were kind enough to offer thanks, "you're welcome." :) Second, one user wrote me privately to indicate that my statement in the first paragraph of my commit message was not clear. The point to this change is that for _each_ outgoing query a _new, random_ UDP source port is used, _as well as_ the standard query ID. (This is of course assuming that you do not have a port locked down in named.conf, which no one should at this point unless firewall rules outside of your control mandate it.) However, named is still picking a "random" UDP port on startup and locking it down (2 if you're also using IPv6) although it's not immediately clear to me why (I do have a query as to the reason in progress). Stef wrote: | Thanks! | | Here are simple steps to use this instead of the base named (and easily | go back later): | | # cd /usr/ports/dns/bind9 Actually I'd at least use bind94, and preferably bind95. Either of those two will have better memory management characteristics than the 9.3.x that is in dns/bind9. | # make && make install | # ln -s /etc/namedb/named.conf /usr/local/etc/named.conf You will also need to do the same with the rndc.key file, and if you are running in the chroot (the default for the rc.d script) then you will need to create /var/named/usr/local/etc and repeat the exercise for both files. | # echo 'named_program="/usr/local/sbin/named" >> /etc/rc.conf Personally my preference would be to edit the rc.conf[.local] file. | # /etc/rc.d/named restart I would actually do 'rndc stop' first, then '/etc/rc.d/named start' but for most purposes the differences there would be minor. You can also use the "replace base bind" option in the 'make config' step which would obviate editing named_program above. If you do that, add 'WITHOUT_BIND= yes' in /etc/src.conf for 7 or 8, and 'NO_BIND= yes' in /etc/make.conf in 6. hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkh2o/4ACgkQyIakK9Wy8PurfQCfeN7Vvme3PABgFWMPhQz1Kgu6 gVUAni9iCNt0Gzi2YntV6uQmmRI8MhQl =4Blu -----END PGP SIGNATURE-----