From 919dbc2969ee050c366a57a2636442ca0834c1f4 Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Sat, 12 Jul 2008 10:00:36 +0000 Subject: [PATCH] Strongly discourage the use of the query-source option, and explain why. Give a better example if a user absolutely must use this option, and suggest they pick something from the ephemeral port range rather than port 53. This means that the example will not work if it is merely uncommented, but this will hopefully encourage users to read the comment. --- etc/namedb/named.conf | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf index 865eee0f72b6..dd2d115db0be 100644 --- a/etc/namedb/named.conf +++ b/etc/namedb/named.conf @@ -46,13 +46,19 @@ options { }; */ /* - * If there is a firewall between you and nameservers you want - * to talk to, you might need to uncomment the query-source - * directive below. Previous versions of BIND always asked - * questions using port 53, but BIND versions 8 and later - * use a pseudo-random unprivileged UDP port by default. - */ - // query-source address * port 53; + Modern versions of BIND use a random UDP port for each outgoing + query by default in order to dramatically reduce the possibility + of cache poisoning. All users are strongly encouraged to utilize + this feature, and to configure their firewalls to accommodate it. + + AS A LAST RESORT in order to get around a restrictive firewall + policy you can try enabling the option below. Use of this option + will significantly reduce your ability to withstand cache poisoning + attacks, and should be avoided if at all possible. + + Replace NNNNN in the example with a number between 49160 and 65530. + */ + // query-source address * port NNNNN; }; // If you enable a local name server, don't forget to enter 127.0.0.1