|
Thread Index [isp-dns] Re: BIND 9 port usage
On Tue, May 27, 2003 at 11:10:38AM -0600, Jim McAtee wrote:
> I just upgraded my two Win2k DNS servers (both are authoritative and permit
> recursion) to BIND 9.2.2 from BIND 8.
>
> I'm running into problems resolving recursive queries as well as having some
> problems processing transfers. I've got logging for notifies and xfers in
> and out set to debug 3. There's a third off-site authoritative server that
> hasn't changed and the xfer-out don't end up in the logs.
>
> I'm pretty sure the main problem lies with ports being blocked at the
> firewall. I'm permitting port 53 UDP and TCP in and out. Nothing else.
> This seemed to have worked fine for BIND 8, but not BIND 9. Were there
> changes in port usage, or did I always have the firewall fubared?
>
see query-source and transfer-source
Permitting only port 53 in and out is a broken firewall configuration
unless you specifically configure named to only talk on port 53. Doing
that is probably a mistake, because you significantly limit the space of
host-port-sequence number combinations. Limiting yourself to only port
53 outbound actually reduces the security of your DNS infrastructure.
-Pete
------------------------ANNOUNCEMENT---------------------------------
---------------------------------------------------------------------
>> Recycle Your Hardware <<
Clean out your closets and make some cash.
Reach thousands of ISP equipment buyers.
http://www.isp-equipment.com
----------------------------------------------------------------------
----------------------------------------------------------------------
Thread Index |
|
