From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 22:48:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C843E106566C; Fri, 11 Jul 2008 22:48:52 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 2A77E8FC0C; Fri, 11 Jul 2008 22:48:51 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6BMmlkL042880; Sat, 12 Jul 2008 08:48:47 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807112248.m6BMmlkL042880@drugs.dv.isc.org> To: Jeremy Chadwick From: Mark Andrews In-reply-to: Your message of "Fri, 11 Jul 2008 08:12:28 MST." <20080711151228.GA52385@eos.sc1.parodius.com> Date: Sat, 12 Jul 2008 08:48:47 +1000 Sender: marka@isc.org Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 22:48:52 -0000 > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > > Is there a way to restrict the ports which BIND selects -- perhaps > > at the expense of a small amount of entropy -- such that it doesn't > > try to use UDP ports which are administratively blocked (e.g. ports > > used by worms, or insecure Microsoft network utilities)? We don't > > dare turn these port blocks off, or naive users will fall prey to > > security holes in Microsoft products. But if BIND doesn't know to > > work around them, lookups will occasionally (and infuriatingly!) > > fail. > > query-source has an argument called "port" which will do what you want. > That option *only* affects UDP queries, however; TCP queries are always > random. ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** ******* DO NOT SET THE PORT IN QUERY-SOURCE. ******** Use avoid-v4-udp-ports { ; ... }; avoid-v6-udp-ports { ; ... }; > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org