MFC r180478, stronger wording to warn users about not using the

query-source option, and a better example.
2008-07-16 10:02:15 +00:00 · 2008-07-16 10:02:15 +00:00 · 625d894d61
commit 625d894d61
parent b49521f6e5
1 changed files with 13 additions and 7 deletions
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@ -48,13 +48,19 @@ options {
 	};
 */
 	/*
-	 * If there is a firewall between you and nameservers you want
-	 * to talk to, you might need to uncomment the query-source
-	 * directive below.  Previous versions of BIND always asked
-	 * questions using port 53, but BIND versions 8 and later
-	 * use a pseudo-random unprivileged UDP port by default.
-	 */
-	// query-source address * port 53;
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
 };

 // If you enable a local name server, don't forget to enter 127.0.0.1