Update Question 13.3 (extra-named-port):
- Discourage the use of port 53 for outgoing DNS queries PR: docs/127290 Submitted by: Aleksandr Stankevic <alex (at) braske (dot) net> Approved by: gabor (mentor)
This commit is contained in:
Gabor Pali
parent
badca18c49
commit
93d1411ed3
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=32993
1 changed files with 19 additions and 12 deletions
|
|
@ -8479,23 +8479,30 @@ Key F15 A A Menu Workplace Nop</programlisting>
|
||||||
|
|
||||||
<qandaentry>
|
<qandaentry>
|
||||||
<question id="extra-named-port">
|
<question id="extra-named-port">
|
||||||
<para>BIND (<command>named</command>) is listening on port 53
|
<para>BIND (<command>named</command>) is listening on
|
||||||
and some other high-numbered port. What is going on?</para>
|
some high-numbered ports. What is going on?</para>
|
||||||
</question>
|
</question>
|
||||||
|
|
||||||
<answer>
|
<answer>
|
||||||
<para>BIND uses a random high-numbered port for outgoing
|
<para>BIND uses a random high-numbered port for outgoing
|
||||||
queries. If you want to use port 53 for outgoing queries,
|
queries. Recent versions of it choose a new, random UDP
|
||||||
either to get past a firewall or to make yourself feel
|
port for each query. This may cause problems for some
|
||||||
better, you can try the following in
|
network configurations, especially if a firewall blocks
|
||||||
<filename>/etc/namedb/named.conf</filename>:</para>
|
incoming UDP packets on particular ports. If you want to
|
||||||
|
get past that firewall, you can try the
|
||||||
|
<literal>avoid-v4-udp-ports</literal> and
|
||||||
|
<literal>avoid-v6-udp-ports</literal> options to avoid
|
||||||
|
selecting random port numbers within a blocked range.</para>
|
||||||
|
|
||||||
<programlisting>options {
|
<warning>
|
||||||
query-source address * port 53;
|
<para>If a port number (like 53) is specified via the
|
||||||
};</programlisting>
|
<literal>query-source</literal> or
|
||||||
|
<literal>query-source-v6</literal> options in
|
||||||
<para>You can replace the <literal>*</literal> with a single
|
<filename>/etc/namedb/named.conf</filename>, randomized
|
||||||
IP address if you want to tighten things further.</para>
|
port selection will not be used. It is strongly
|
||||||
|
recommended that these options not be used to specify
|
||||||
|
fixed port numbers.</para>
|
||||||
|
</warning>
|
||||||
|
|
||||||
<para>Congratulations, by the way. It is good practice to
|
<para>Congratulations, by the way. It is good practice to
|
||||||
read your &man.sockstat.1; output and notice odd
|
read your &man.sockstat.1; output and notice odd
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue