In message <201206122327.q5cnru5s077...@aurora.sol.net>, Joe Greco writes:
> > In message <alpine.lsu.2.00.1206121230490.2...@hermes-2.csi.cam.ac.uk>, Ton
> y Fi
> > nch writes:
> > > Mark Andrews <ma...@isc.org> wrote:
> > > >
> > > > Perhaps because it is a legitimate, though unwise, client source port
> > > > that is in lots of old configurations.
> > > >
> > > > listen-on { <internal address>; };
> > > > query-source * port 53;
> > >
> > > I did this back in the 1990s because it worked around occasional interop
> > > problems, I think caused by over-enthusiastic firewall configurations tha
> t
> > > thought all DNS (queries and responses) should be on port 53. Several
> > > years ago I found that things had changed and the popular over-
> > > enthusiastic firewall configuration requires DNS query source ports to be
> > > greater than 1023.
> >
> > Both firewall configuration are broken. You don't look at source
> > ports if you are offering a service.
>
> Sure you can. And sometimes do. That's what the whole privileged port
> thing is about, right? Sometimes it is desirable to constrain the
> possibilities for various reasons.
Even then you don't examine it in the firewall as those service
still accept connections from non-reserved ports. You just get
extra functionality if you come from a known machine using a source
port less than 1024.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
