Strongly discourage the use of the query-source option, and explain why.
Give a better example if a user absolutely must use this option, and suggest they pick something from the ephemeral port range rather than port 53. This means that the example will not work if it is merely uncommented, but this will hopefully encourage users to read the comment.
This commit is contained in:
parent
2e5453748e
commit
919dbc2969
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=180478
@ -46,13 +46,19 @@ options {
|
|||||||
};
|
};
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* If there is a firewall between you and nameservers you want
|
Modern versions of BIND use a random UDP port for each outgoing
|
||||||
* to talk to, you might need to uncomment the query-source
|
query by default in order to dramatically reduce the possibility
|
||||||
* directive below. Previous versions of BIND always asked
|
of cache poisoning. All users are strongly encouraged to utilize
|
||||||
* questions using port 53, but BIND versions 8 and later
|
this feature, and to configure their firewalls to accommodate it.
|
||||||
* use a pseudo-random unprivileged UDP port by default.
|
|
||||||
*/
|
AS A LAST RESORT in order to get around a restrictive firewall
|
||||||
// query-source address * port 53;
|
policy you can try enabling the option below. Use of this option
|
||||||
|
will significantly reduce your ability to withstand cache poisoning
|
||||||
|
attacks, and should be avoided if at all possible.
|
||||||
|
|
||||||
|
Replace NNNNN in the example with a number between 49160 and 65530.
|
||||||
|
*/
|
||||||
|
// query-source address * port NNNNN;
|
||||||
};
|
};
|
||||||
|
|
||||||
// If you enable a local name server, don't forget to enter 127.0.0.1
|
// If you enable a local name server, don't forget to enter 127.0.0.1
|
||||||
|
Loading…
Reference in New Issue
Block a user