Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 09 Jul 2008 07:29:29 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Chuck Swiger <cswiger@mac.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: ports
Message-ID:  <48745AC9.5010200@infracaninophile.co.uk>
In-Reply-To: <DCE5DED7-40E2-406A-BB9D-1E5851811752@mac.com>
References:  <4873927E.3050307@godfur.com> <44ej64s4e7.fsf@be-well.ilk.org>	<48739EB6.4040909@infracaninophile.co.uk>	<200807082004.25873.fbsd.questions@rachie.is-a-geek.net> <DCE5DED7-40E2-406A-BB9D-1E5851811752@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig2BFBB89DE9FCC86D0804B194
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Chuck Swiger wrote:
> On Jul 8, 2008, at 11:04 AM, Mel wrote:
>> On Tuesday 08 July 2008 19:07:02 Matthew Seaman wrote:
>>> You can configure named to always send packets using a
>>> fixed port number (which can be helpful for firewalling)
>>
>> Purely outof interest, which (useful) firewall/nat rules cannot be=20
>> made with
>> dest port 53, that can be made with source port 53. Not talking syntax=
,
>> but "business logically".
>=20
> Please note that using the same port for answering queries makes it=20
> vastly easier for somebody to spoof your DNS traffic.  Unless you are=20
> one of the handful using DNSSEC, that is.
>=20

Yes.  In the light of this, released last night:

   http://www.kb.cert.org/vuls/id/800113

fixing the response port is a bad idea.  A really bad idea.

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig2BFBB89DE9FCC86D0804B194
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkh0WsoACgkQ8Mjk52CukIwmWACgk4zKrX/+jfWmtXZaRe8moNDQ
atIAnAwd/kDH16NFFlhI6Jvl5W+umsxG
=JX6a
-----END PGP SIGNATURE-----

--------------enig2BFBB89DE9FCC86D0804B194--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48745AC9.5010200>