From nobody@FreeBSD.org  Thu Sep 11 07:21:21 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 740DA1065680
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Sep 2008 07:21:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5EEB88FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Sep 2008 07:21:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m8B7LKjA079113
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Sep 2008 07:21:20 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m8B7LKaV079112;
	Thu, 11 Sep 2008 07:21:20 GMT
	(envelope-from nobody)
Message-Id: <200809110721.m8B7LKaV079112@www.freebsd.org>
Date: Thu, 11 Sep 2008 07:21:20 GMT
From: Aleksandr Stankevic <alex@braske.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: FAQ book: discourage the use of port 53 for outgoing DNS queries
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         127290
>Category:       docs
>Synopsis:       FAQ book: discourage the use of port 53 for outgoing DNS queries
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pgj
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 11 07:30:02 UTC 2008
>Closed-Date:    Thu Oct 02 13:19:52 UTC 2008
>Last-Modified:  Thu Oct 02 13:19:52 UTC 2008
>Originator:     Aleksandr Stankevic
>Release:        
>Organization:
>Environment:
>Description:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#EXTRA-NAMED-PORT

-- quote --
BIND uses a random high-numbered port for outgoing queries. If you want to use port 53 for outgoing queries, either to get past a firewall or to make yourself feel better, you can try the following in /etc/namedb/named.conf:

options {
        query-source address * port 53;
};

You can replace the * with a single IP address if you want to tighten things further.
-- quote --

We should discourage the use of query-source address * port 53 because of the last vulnerability in DNS.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->pgj 
Responsible-Changed-By: pgj 
Responsible-Changed-When: Thu Sep 11 11:38:38 UTC 2008 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127290 

From: Gabor PALI <pgj@FreeBSD.org>
To: Aleksandr Stankevic <alex@braske.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: docs/127290: FAQ book: discourage the use of port 53 for outgoing
 DNS queries
Date: Mon, 29 Sep 2008 11:04:10 +0200

 This is a multi-part message in MIME format.
 --------------060907070508090906070700
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Hello Aleksandr,
 
 How do you like this patch?  Please review and comment on it.
 
 Thanks,
 :g
 
 
 --------------060907070508090906070700
 Content-Type: text/plain;
  name="127290.patch.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="127290.patch.diff"
 
 Index: book.sgml
 ===================================================================
 RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/faq/book.sgml,v
 retrieving revision 1.1099
 diff -u -r1.1099 book.sgml
 --- book.sgml	21 Aug 2008 20:53:08 -0000	1.1099
 +++ book.sgml	26 Sep 2008 16:33:10 -0000
 @@ -8479,23 +8479,30 @@
  
        <qandaentry>
  	<question id="extra-named-port">
 -	  <para>BIND (<command>named</command>) is listening on port 53
 -	    and some other high-numbered port.  What is going on?</para>
 +	  <para>BIND (<command>named</command>) is listening on
 +	    some high-numbered ports.  What is going on?</para>
  	</question>
  
  	<answer>
  	  <para>BIND uses a random high-numbered port for outgoing
 -	    queries.  If you want to use port 53 for outgoing queries,
 -	    either to get past a firewall or to make yourself feel
 -	    better, you can try the following in
 -	    <filename>/etc/namedb/named.conf</filename>:</para>
 -
 -	  <programlisting>options {
 -        query-source address * port 53;
 -};</programlisting>
 +	    queries.  Recent versions of it choose a new, random UDP
 +	    port for each query.  This may cause problems for some
 +	    network configurations, especially if a firewall blocks
 +	    incoming UDP packets on particular ports.  If you want to
 +	    get past that firewall, you can try the
 +	    <literal>avoid-v4-udp-ports</literal> and
 +	    <literal>avoid-v6-udp-ports</literal> options to avoid
 +	    selecting random port numbers within a blocked range.</para>
  
 -	  <para>You can replace the <literal>*</literal> with a single
 -	    IP address if you want to tighten things further.</para>
 +	  <warning>
 +	    <para>If a port number (like 53) is specified via the
 +	      <literal>query-source</literal> or
 +	      <literal>query-source-v6</literal> options in
 +	      <filename>/etc/namedb/named.conf</filename>, randomized
 +	      port selection will not be used.  It is strongly
 +	      recommended that these options not be used to specify
 +	      fixed port numbers.</para>
 +	  </warning>
  
  	  <para>Congratulations, by the way.  It is good practice to
  	    read your &man.sockstat.1; output and notice odd
 
 --------------060907070508090906070700--

From: Aleksandr Stankevic <alex@elpastas.lt>
To: Gabor PALI <pgj@FreeBSD.org>
Cc: Aleksandr Stankevic <alex@braske.net>, freebsd-gnats-submit@FreeBSD.org
Subject: Re: docs/127290: FAQ book: discourage the use of port 53 for
	outgoing DNS queries
Date: Tue, 30 Sep 2008 14:11:13 +0300

 --=-1nAKvmZsSPXS8O4bIdoB
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: quoted-printable
 
 (re-mailing with CC to gnats)
 
 Sounds fine to me.=20
 
 
 On Mon, 2008-09-29 at 11:04 +0200, Gabor PALI wrote:
 > Hello Aleksandr,
 >=20
 > How do you like this patch?  Please review and comment on it.
 >=20
 > Thanks,
 > :g
 >=20
 > plain text document attachment (127290.patch.diff)
 > Index: book.sgml
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/faq/book.sgml,v
 > retrieving revision 1.1099
 > diff -u -r1.1099 book.sgml
 > --- book.sgml	21 Aug 2008 20:53:08 -0000	1.1099
 > +++ book.sgml	26 Sep 2008 16:33:10 -0000
 > @@ -8479,23 +8479,30 @@
 > =20
 >        <qandaentry>
 >  	<question id=3D"extra-named-port">
 > -	  <para>BIND (<command>named</command>) is listening on port 53
 > -	    and some other high-numbered port.  What is going on?</para>
 > +	  <para>BIND (<command>named</command>) is listening on
 > +	    some high-numbered ports.  What is going on?</para>
 >  	</question>
 > =20
 >  	<answer>
 >  	  <para>BIND uses a random high-numbered port for outgoing
 > -	    queries.  If you want to use port 53 for outgoing queries,
 > -	    either to get past a firewall or to make yourself feel
 > -	    better, you can try the following in
 > -	    <filename>/etc/namedb/named.conf</filename>:</para>
 > -
 > -	  <programlisting>options {
 > -        query-source address * port 53;
 > -};</programlisting>
 > +	    queries.  Recent versions of it choose a new, random UDP
 > +	    port for each query.  This may cause problems for some
 > +	    network configurations, especially if a firewall blocks
 > +	    incoming UDP packets on particular ports.  If you want to
 > +	    get past that firewall, you can try the
 > +	    <literal>avoid-v4-udp-ports</literal> and
 > +	    <literal>avoid-v6-udp-ports</literal> options to avoid
 > +	    selecting random port numbers within a blocked range.</para>
 > =20
 > -	  <para>You can replace the <literal>*</literal> with a single
 > -	    IP address if you want to tighten things further.</para>
 > +	  <warning>
 > +	    <para>If a port number (like 53) is specified via the
 > +	      <literal>query-source</literal> or
 > +	      <literal>query-source-v6</literal> options in
 > +	      <filename>/etc/namedb/named.conf</filename>, randomized
 > +	      port selection will not be used.  It is strongly
 > +	      recommended that these options not be used to specify
 > +	      fixed port numbers.</para>
 > +	  </warning>
 > =20
 >  	  <para>Congratulations, by the way.  It is good practice to
 >  	    read your &man.sockstat.1; output and notice odd
 --=20
 =EF=BB=BFAleksandr Stankevic
 UNIX system administrator
 
 --=-1nAKvmZsSPXS8O4bIdoB
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: This is a digitally signed message part
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iQIcBAABAgAGBQJI4glRAAoJEJqB1BdzSIT/fKgQAKsscH9Ff4uv4uJ1dIPx5CiE
 TOayRqqo9aMAExzh/B5zFxKT9tPy/sKQPhG3Tg2rM/YOqyDdd0kWw7h6VdBjFc2I
 IBuaGO5islWAPLQ20FYUgiC8ODQq2ttLq/g/96Pv2xIDg4Ty6o4T9ZLzBsLGvwy+
 PIAzeDp9OmBrf1fEpaXl2g9nuzdglsHdka+Sqi3W4JX5K/S0OjaDJCKl1Dtmh5JM
 wrFBItqTcBnJYgWdh+m7JMf47novdaUiyQDbu6AxNPV+M2hb84JGNxm4QamRfMRS
 BRWT+PM6uN+SDB3vH58NHKCldpIHvz1ofZMNyuILpr9wFSw4xlTzreNXhBHfW+ZF
 62k9aIU71F/7Xc3YAaG+4dc98lJwxURGmaGhYxXl1tDcFtRl7VOMDlqznjsf79kW
 DoV6YkN0h/N9ozb+XhnKXwOvMzMGMOpW5TrvQTJ4RAwFS7Tt6Ep8YYCWM2+JhY3i
 pCN9bQiONKjvqdP/TnErm+a0MKZCIsTGBg9NfpBRoeJFTVOH3Mve6Yp8VxET1ow5
 MmjH9HSOHQPWw2sQ/F/lZr7NY6mHK4fvOKAuZY4+tY9SgE1Mzn/suBYD2PS/tWTE
 xYzPxkhY4TiUc2g6Wdinv6gEATP3KKA/SjGaYPb2a77xi91ia50tIIGMFoFkFYky
 Bf7mmI3IrHvGhymMZ+Ve
 =ZKtC
 -----END PGP SIGNATURE-----
 
 --=-1nAKvmZsSPXS8O4bIdoB--
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/127290: commit references a PR
Date: Thu,  2 Oct 2008 12:33:04 +0000 (UTC)

 pgj         2008-10-02 12:32:56 UTC
 
   FreeBSD doc repository
 
   Modified files:
     en_US.ISO8859-1/books/faq book.sgml 
   Log:
   Update Question 13.3 (extra-named-port):
   - Discourage the use of port 53 for outgoing DNS queries
   
   PR:     docs/127290
   Submitted by:   Aleksandr Stankevic <alex (at) braske (dot) net>
   Approved by:    gabor (mentor)
   
   Revision  Changes    Path
   1.1100    +19 -12    doc/en_US.ISO8859-1/books/faq/book.sgml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: pgj 
State-Changed-When: Thu Oct 2 13:13:34 UTC 2008 
State-Changed-Why:  
I have committed the patch I offered.  Thank you for your cooperation 
and for your suggestion. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127290 
>Unformatted:
