Date: Fri, 11 Jul 2008 17:28:11 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Alan Clegg <alan@clegg.com> Cc: Doug Barton <dougb@freebsd.org>, stef@memberwebs.com, Jeremy Chadwick <koitsu@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, secteam@freebsd.org, Brett Glass <brett@lariat.net>, Remko Lodder <remko@freebsd.org>, Andrew Storms <astorms@ncircle.com> Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] Message-ID: <48778A1B.4060504@infracaninophile.co.uk> In-Reply-To: <487782C5.7050703@clegg.com> References: <C49A67C5.1A0CBA%astorms@ncircle.com> <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Alan Clegg wrote: > Jeremy Chadwick wrote: >> On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: >>> Is there a way to restrict the ports which BIND selects -- perhaps >>> at the expense of a small amount of entropy -- such that it doesn't >>> try to use UDP ports which are administratively blocked (e.g. ports >>> used by worms, or insecure Microsoft network utilities)? We don't >>> dare turn these port blocks off, or naive users will fall prey to >>> security holes in Microsoft products. But if BIND doesn't know to >>> work around them, lookups will occasionally (and infuriatingly!) >>> fail. >> query-source has an argument called "port" which will do what you want. >> That option *only* affects UDP queries, however; TCP queries are always >> random. > While query-source allows you to lock down to a single port, you DO NOT > WANT TO DO THIS -- if you do, you will be vulnerable to the very thing > that the patch made you immune (well, safer) from. > > What Brett (and others) need to do is risk the waters with the new beta > code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" > control for the UDP ports to be used. > > Please, PLEASE, do not introduce "query-source port XX" into your > configurations. Probably what Brett is looking for are the avoid-v4-udp-ports and avoid-v6-udp-ports options -- these just contain lists of UDP ports to avoid as the source of any DNS traffic. Details are available here (for bind95) http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#options but it's the same for all 9.x versions of BIND. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkh3iiMACgkQ8Mjk52CukIxpAQCgjm4KMcYVNHHQjMX5w7RuH784 sRsAn3V5fHGqgaIQVzkb054LcPp9RgTQ =hvxj -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48778A1B.4060504>