Strongly discourage the use of the query-source option, and explain why.

Give a better example if a user absolutely must use this option, and suggest they pick something from the ephemeral port range rather than port 53. This means that the example will not work if it is merely uncommented, but this will hopefully encourage users to read the comment.
svn path=/head/; revision=180478
2008-07-12 10:00:36 +00:00 · 2008-07-12 10:00:36 +00:00 · 919dbc2969 · 2020-12-20 02:59:44 +00:00
commit 919dbc2969
parent 2e5453748e
1 changed files with 13 additions and 7 deletions
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@ -46,13 +46,19 @@ options {
 	};
 */
 	/*
-	 * If there is a firewall between you and nameservers you want
-	 * to talk to, you might need to uncomment the query-source
-	 * directive below.  Previous versions of BIND always asked
-	 * questions using port 53, but BIND versions 8 and later
-	 * use a pseudo-random unprivileged UDP port by default.
-	 */
-	// query-source address * port 53;
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
 };

 // If you enable a local name server, don't forget to enter 127.0.0.1