ConfigServer Community Forum

Hi,

I recently put up a new DNS server using 'bind9' and installed CSF.

I prefer to filter outgoing traffic, as much as possible, as well as incoming.

In the past, I allowed port 53 TCP and UDP in both incoming and outgoing directions with TCP_IN, TCP_OUT, UDP_IN and UDP_OUT.

However, apparently, by default and for security reasons, Bind9 uses random source ports for outside lookups. This can apparently be modified with a named.conf configuration option like:
which is what I'm doing for the moment, but it logs this at startup:
Does anyone have any suggestions to me for running Bind9 with CSF?

Thanks in advance,

G

We're running Bind 9.8.2 with CSF but don't even use that query-source address line in the named.conf and still everything is working.
Bind 9 does uses random (high) source ports to query other nameservers.
Why should you want your server to query other nameservers when it can query it's own local nameserver for lookups?
That's the way we are doing it. It's doing that automatically.

On our servers, we also filter outbound traffic so the "random (high) source ports" are blocked. We only allow specific (minimal) outbound traffic to limit what a compromised server can do.

I also found this comment in csf.conf, which sounds somewhat pertinent:
Evidently, this is also well known in the Bind world and I just have to use the Bind9 configuration option:
Thanks,

G