mailing list archives
Re: Securing DNS Server
From: Bennett Todd <bet () rahul net>
Date: Tue, 5 Nov 2002 15:41:49 -0500
2002-11-05-14:36:41 Naman Latif:
Try adding this to named.conf:
query-source address * port 53;
Which would have the originating queries only from Port 53, thus making
it easier to implement in the firewall.
It may make it easier to firewall, but it's got other consequences.
It may, depending on the implementation in the server, limit the
server to one outstanding query at a time, which would only be
acceptable for exceptionally low-volume servers (home servers,
perhaps). Or it may cause all concurrent queries to share the same
src port, rather than being issued distinct src ports, which would
have the consequence that it would be much, much easier to forge a
reply packet and send it to the server to poison its cache.
Either way, the consequence may, perhaps, be worse than just
allowing incoming UDP to a wide range of ports on the DNS server.
It really comes down to a question of whether you can harden that