Update Question 13.3 (extra-named-port):
- Discourage the use of port 53 for outgoing DNS queries PR: docs/127290 Submitted by: Aleksandr Stankevic <alex (at) braske (dot) net> Approved by: gabor (mentor)
This commit is contained in:
Gabor Pali
parent
badca18c49
commit
93d1411ed3
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=32993
1 changed files with 19 additions and 12 deletions
|
|
@ -8479,23 +8479,30 @@ Key F15 A A Menu Workplace Nop</programlisting>
|
|||
|
||||
<qandaentry>
|
||||
<question id="extra-named-port">
|
||||
<para>BIND (<command>named</command>) is listening on port 53
|
||||
and some other high-numbered port. What is going on?</para>
|
||||
<para>BIND (<command>named</command>) is listening on
|
||||
some high-numbered ports. What is going on?</para>
|
||||
</question>
|
||||
|
||||
<answer>
|
||||
<para>BIND uses a random high-numbered port for outgoing
|
||||
queries. If you want to use port 53 for outgoing queries,
|
||||
either to get past a firewall or to make yourself feel
|
||||
better, you can try the following in
|
||||
<filename>/etc/namedb/named.conf</filename>:</para>
|
||||
queries. Recent versions of it choose a new, random UDP
|
||||
port for each query. This may cause problems for some
|
||||
network configurations, especially if a firewall blocks
|
||||
incoming UDP packets on particular ports. If you want to
|
||||
get past that firewall, you can try the
|
||||
<literal>avoid-v4-udp-ports</literal> and
|
||||
<literal>avoid-v6-udp-ports</literal> options to avoid
|
||||
selecting random port numbers within a blocked range.</para>
|
||||
|
||||
<programlisting>options {
|
||||
query-source address * port 53;
|
||||
};</programlisting>
|
||||
|
||||
<para>You can replace the <literal>*</literal> with a single
|
||||
IP address if you want to tighten things further.</para>
|
||||
<warning>
|
||||
<para>If a port number (like 53) is specified via the
|
||||
<literal>query-source</literal> or
|
||||
<literal>query-source-v6</literal> options in
|
||||
<filename>/etc/namedb/named.conf</filename>, randomized
|
||||
port selection will not be used. It is strongly
|
||||
recommended that these options not be used to specify
|
||||
fixed port numbers.</para>
|
||||
</warning>
|
||||
|
||||
<para>Congratulations, by the way. It is good practice to
|
||||
read your &man.sockstat.1; output and notice odd
|
||||
|
|
|
|||
Loading…
Reference in a new issue