[dns-operations] DNS Issue
Warren Kumari
warren at kumari.net
Thu Apr 25 17:27:51 UTC 2013
On Apr 25, 2013, at 11:35 AM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:
>
> On Apr 24, 2013, at 10:32 PM, Jason Bratton wrote:
>
>> I'm not saying I agree with that practice, but I can definitely imagine it happening.
>
> Concur.
>
> If folks are running nameds which *don't* support source-port randomizations, they need to patch/upgrade, anyways.
I think that in many cases it is not that the named version doesn't support randomization, but rather that they / their firewall group believes that "DNS should only be allowed on port 53 (and UDP, natch)".
I've seen this in a number of organizations (and some fairly complex iptables rules to rewrite the random source ports to be 53 (because setting 'query-source' is… well… who knows…)).
Not saying that this is reasonable, but not nameds that source from 53 are necessarily old….
W
>
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Luck is the residue of opportunity and design.
>
> -- John Milton
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
--
She'd even given herself a middle initial - X - which stood for "someone who has a cool and exciting middle name".
-- (Terry Pratchett, Maskerade)
More information about the dns-operations
mailing list