Re: Behavior of port tag in options clause is ambiguous

Thu, 15 Dec 2022 22:42:30 -0800 

Hi,

there’s really nice documentation for BIND 9, and it’s even online and have a 
section on the “port”: 
https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-port

Also don’t limit the outgoing ports to a single number - that’s a bad security 
practice, you should be using the full range if possible.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 16. 12. 2022, at 7:26, Vikas Sharma <er.sharmavi...@gmail.com> wrote:
> 
> 
> Hi Team,
>  
> we have following configuration in my named.conf
> where i named process on primary DNS is listening on port 15010.
> whereas secondary DNS is running on port 53.
> All Notification to secondary DNS is forwarded on destination port 53 from 
> primary DNS. 
>  
> Now when i add tag port 15010 in options clause on primary DNS, then i see 
> some notification message being forwarded to secondary DNS to dest port 
> 15010. these messages are in addition to notification to secondary DNS with 
> dest port 53.
> changing port value form 15010 to 20598 sends notification to secondary DSN 
> on dest port 20598 in addition to notification to secondary on port 53.
>  
> i have a firewall on secondary DNS which is rejecting all packets on port 
> 15010/20598.
> i see that all my data is populated on secondary DNS without any problem due 
> to notifications to secondary DNS on port 53.
>  
> query is why named is sending notification to secondary DNS on port 
> 15010/20598 when regular notification is also going to secondary DNS on port 
> 53.
>  
>  
> acl theAllServers {
>          thePrimary;
>          theSecondary;
>          localhost;
> };
>  
> options {
>          directory "/var/opt/named";
>          pid-file "/var/opt/run/named.pid";
>          allow-transfer { theAllServers; };
>          allow-query { any; };
>          zone-statistics no;
>          notify yes;
>          max-cache-size 14297m;
>          max-journal-size 1048576;
>          port 15010;                                       #=> used 20598 as 
> well instead of 15010;
>          listen-on port 15010 { 127.0.0.1; };
>          also-notify {
>                  10.1.2.4 port 53;
>                  10.1.2.5 port 53;
>          };
> };
> 
> Best Regards,
> Vikas Sharma
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to