From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 15:06:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 484AD106566C; Fri, 11 Jul 2008 15:06:00 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id BC7E48FC0C; Fri, 11 Jul 2008 15:05:59 +0000 (UTC) (envelope-from brett@lariat.net) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id IAA18639; Fri, 11 Jul 2008 08:54:52 -0600 (MDT) Message-Id: <200807111454.IAA18639@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 11 Jul 2008 08:54:48 -0600 To: Doug Barton , stef@memberwebs.com From: Brett Glass In-Reply-To: <4876A3FE.1070407@FreeBSD.org> References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailman-Approved-At: Fri, 11 Jul 2008 15:09:20 +0000 Cc: "freebsd-security@freebsd.org" , Remko Lodder , secteam@freebsd.org, Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 15:06:00 -0000 Is there a way to restrict the ports which BIND selects -- perhaps at the expense of a small amount of entropy -- such that it doesn't try to use UDP ports which are administratively blocked (e.g. ports used by worms, or insecure Microsoft network utilities)? We don't dare turn these port blocks off, or naive users will fall prey to security holes in Microsoft products. But if BIND doesn't know to work around them, lookups will occasionally (and infuriatingly!) fail. --Brett Glass At 06:06 PM 7/10/2008, Doug Barton wrote: >First off, to those who were kind enough to offer thanks, "you're >welcome." :) > >Second, one user wrote me privately to indicate that my statement in >the first paragraph of my commit message was not clear. The point to >this change is that for _each_ outgoing query a _new, random_ UDP >source port is used, _as well as_ the standard query ID. (This is of >course assuming that you do not have a port locked down in named.conf, >which no one should at this point unless firewall rules outside of >your control mandate it.) However, named is still picking a "random" >UDP port on startup and locking it down (2 if you're also using IPv6) >although it's not immediately clear to me why (I do have a query as to >the reason in progress).