Chris Henderson wrote: > I'm trying to implement some basic counter-measures against the > Kaminsky bug. I have had to configure my switch to allow any incoming > query to TCP and UDP port 53 on my slave DNS server. I was wondering > if this is going to cause any problem as far as security is concerned. > > Bind version 9.4.1 running in chroot jail.
First off, 9.4.3 has been out for a while now, and has query source port randomization features that you want. You should read more about it on the ISC web site. Second, it's not clear what you're trying to accomplish. If the hosts that will be querying this name server are inside the firewall, there is no reason that you should have to open port 53 from the outside world (except perhaps from the master name server(s)). To intelligently answer your question you're going to have to provide more details. Doug _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
