From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 15:56:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76E54106567A; Fri, 11 Jul 2008 15:56:58 +0000 (UTC) (envelope-from alan@clegg.com) Received: from mx.isc.org (mx.isc.org [IPv6:2001:4f8:0:2::1c]) by mx1.freebsd.org (Postfix) with ESMTP id 6532F8FC15; Fri, 11 Jul 2008 15:56:58 +0000 (UTC) (envelope-from alan@clegg.com) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTPS id 279D7114050; Fri, 11 Jul 2008 15:56:56 +0000 (UTC) (envelope-from alan@clegg.com) Received: from [192.168.1.2] (cpe-066-057-017-110.nc.res.rr.com [66.57.17.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id C4FD4E6024; Fri, 11 Jul 2008 15:56:54 +0000 (UTC) (envelope-from alan@clegg.com) Message-ID: <487782C5.7050703@clegg.com> Date: Fri, 11 Jul 2008 11:56:53 -0400 From: Alan Clegg User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Jeremy Chadwick References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> In-Reply-To: <20080711151228.GA52385@eos.sc1.parodius.com> X-Enigmail-Version: 0.95.6 OpenPGP: id=B5030987 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RDNS_DYNAMIC autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mx.isc.org Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 15:56:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Chadwick wrote: > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: >> Is there a way to restrict the ports which BIND selects -- perhaps >> at the expense of a small amount of entropy -- such that it doesn't >> try to use UDP ports which are administratively blocked (e.g. ports >> used by worms, or insecure Microsoft network utilities)? We don't >> dare turn these port blocks off, or naive users will fall prey to >> security holes in Microsoft products. But if BIND doesn't know to >> work around them, lookups will occasionally (and infuriatingly!) >> fail. > > query-source has an argument called "port" which will do what you want. > That option *only* affects UDP queries, however; TCP queries are always > random. While query-source allows you to lock down to a single port, you DO NOT WANT TO DO THIS -- if you do, you will be vulnerable to the very thing that the patch made you immune (well, safer) from. What Brett (and others) need to do is risk the waters with the new beta code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" control for the UDP ports to be used. Please, PLEASE, do not introduce "query-source port XX" into your configurations. AlanC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFId4LEcKpYUrUDCYcRAiowAJ47bCASBmTszN8A7d1MbEvB9ZJq0wCWMZIK t8Uv4q/ro3MDpEP71GqtHg== =+SwG -----END PGP SIGNATURE-----