Re: Bind: Standard Ports And Non Standard Ports

Fri, 11 Feb 2022 08:30:26 -0800 

On 2022-02-11 16:20, Tim Daneliuk via bind-users wrote:



After some months of poking around, we are now certain that our 
so-called "Business"

service from Comcast is compromising our DNS servers because of their

execrable "Security Edge" garbage.  (They are willing to remove this 
'service'

only if we are willing to incur a higher monthly recurring fee.)


Our master is in the wild and works fine, but the slave is behind the 
compromised

Comcast pipe.  The effect of having Security Edge in place is that the
slave cannot get updates from the master and is also unable to resolve
anything outside our own zone.   Comcast is apparently hijacking all port
53 requests and doing unspeakable things with them.


Is there a way to have these servers work as usual, listening to 
resolution

request on port 53, but have the slave update AND forward requests to the

master over a non-standard port, so as to work around the Comcast 
madness?


TIA,
Tim


P.S. My guess is that this so-call "security" service is no such 
thing, or at
     least its not the only thing.  They are probably harvesting DNS 
lookups

     to sell as marketing data, or at least that would be my first guess.

If bind cannot be configured to avoid a port blocking or filtering 3rd
party filter between two of your own servers, the obvioussolution is
to use a traditional VPN solution such as DNSSEC or OpenVPN to encrypt
all traffic between the two servers.  That should pass through any ISP
filters that don't block work-from-home VPNs.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to