[dns-operations] DNS Issue

Warren Kumari warren at kumari.net
Thu Apr 25 17:27:51 UTC 2013

On Apr 25, 2013, at 11:35 AM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:

> On Apr 24, 2013, at 10:32 PM, Jason Bratton wrote:
>> I'm not saying I agree with that practice, but I can definitely imagine it happening.
> Concur.
> If folks are running nameds which *don't* support source-port randomizations, they need to patch/upgrade, anyways.

I think that in many cases it is not that the named version doesn't support randomization, but rather that they / their firewall group believes that "DNS should only be allowed on port 53 (and UDP, natch)".
I've seen this in a number of organizations (and some fairly complex iptables rules to rewrite the random source ports to be 53 (because setting 'query-source' is… well… who knows…)).

Not saying that this is reasonable, but not nameds that source from 53 are necessarily old….


> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 	  Luck is the residue of opportunity and design.
> 		       -- John Milton
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

She'd even given herself a middle initial - X - which stood for "someone who has a cool and exciting middle name".

    -- (Terry Pratchett, Maskerade)

More information about the dns-operations mailing list